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Abstract 

Interleaving  theories  have  traditionally  failed  to  integrate  a  satisfactory  treatment  of  the  so-called 
“finite  delay  property” .  This  is  generally  attributed  to  the  expansion  law  of  such  theories,  but  actually, 
the  problem  is  rooted  in  the  concept  of  labelled  transition  system.  We  introduce  a  new  type  of  system, 
in  which,  instead  of  labelled  transitions,  we  have,  essentially,  sequences  of  labelled  transitions.  We  call 
systems  of  this  type  labelled  execution  systems.  We  use  a  coalgebraic  representation  to  obtain,  in  a 
canonical  way,  a  suitable  concept  of  bisimilarity  among  such  systems,  study  the  conditions  under  which 
that  concept  agrees  with  the  intuitive  understanding  of  equivalence  of  branching  structure  that  one  has 
for  these  systems,  and  examine  their  relationship  with  labelled  transition  systems,  precisely 
characterizing  the  difference  in  expressive  power  and  branching  complexity  between  the  two  kinds  of 
systems. 


1  Introduction 

The  process  algebra  literature  is  dominated  by  the  concept  of  labelled  transition  system.  And  to  some 
extent,  this  is  understandable.  For  process  algebra  emerged  from  the  marriage  of  Plotkin’s  structural 
operational  semantics  (see  [53])  and  Keller’s  named  transition  systems  (see  [36])  (see  [46,  chap.  12],  [13], 
[54],  [11]).  This  marriage  was  the  work  of  Robin  Milner,  and  is  most  clearly  expounded  in  [46],  but  was 
already  present  in  [42],  where  the  so-called  “expansion  law”  was  stated  for  the  first  time. 

The  expansion  law  has  been  a  constant  source  of  controversy  in  the  theory  of  concurrency.  In  the  language 
of  Milner’s  CCS  (see  [43],  [46]),  a  typical  equation  asserted  by  the  law  is  the  following: 

a. 0  |  b. 0  =  a. 6.0  +  b.a.O.  (1) 

Here,  ‘a’  and  ‘6’  stand  for  arbitrary  actions,  ‘0’  for  the  inactive  agent,  which  is  incapable  of  performing  any 
action,  for  sequential  composition,  ‘ | ’  for  parallel  composition,  and  “+’  for  alternative  composition.  And 
the  intended  meaning  of  (1)  is  that  the  parallel  execution  of  a  and  b  is  “equivalent”,  in  some  sense,  to  the 
indeterminate  serialization  of  the  two. 

In  order  to  justify  the  expansion  law,  and  the  blurring  between  causal  dependence  and  temporal 
precedence  resulting  from  it,  Milner  wrote  the  following  in  [42,  p.  81]: 

We  do  not  yet  know  how  to  frame  a  sufficiently  general  law  without,  in  a  sense,  explicating 
parallelism  in  terms  of  non-determinism.  More  precisely,  this  means  that  we  explicate  a 
(parallel)  composition  by  presenting  all  serializations  -  or  interleavings  -  of  its  possible  atomic 
actions.  This  has  the  disadvantage  that  we  lose  distinction  between  causally  necessary  sequence, 

*  This  work  was  supported  in  part  by  the  Center  for  Hybrid  and  Embedded  Software  Systems  (CHESS)  at  UC  Berkeley, 
which  receives  support  from  the  National  Science  Foundation  (NSF  awards  #0720882  (CSR-EHS:  PRET),  #1035672  (CPS: 
PTIDES),  and  #0931843  (ActionWebs)),  the  U.  S.  Army  Research  Lab  (ARL  #W911NF-1 1-2-0038),  the  Air  Force  Research 
Lab  (AFRL),  the  Multiscale  Systems  Center  (MuSyC),  one  of  six  research  centers  funded  under  the  Focus  Center  Research 
Program,  a  Semiconductor  Research  Corporation  program,  and  the  following  companies:  Bosch,  National  Instruments, 
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and  sequence  which  is  fictitiously  imposed  upon  causally  independent  actions;  ....  However,  it 
may  be  justified  to  ignore  it  if  we  can  accept  the  view  that,  in  observing  (communicating  with) 
a  composite  system,  we  make  our  observations  in  a  definite  time  sequence,  thereby  causing  a 
sequencing  of  actions  which,  for  the  system  itself,  are  causally  independent. 

Effectively,  what  he  argued  for  was  a  dichotomy  between  causation  and  observation  in  the  theory  of 
concurrency.  And  what  he  proposed  as  an  observational  view  to  the  theory  was  the  interleaving  of  the 
atomic  actions  of  the  various  agents  inside  a  system  as  would  be  perceived  by  a  single,  sequential  observer 
outside  the  system.  But  what  he  failed  to  admit  was  that  the  expansion  law  is  in  fact  inconsistent  with 
that  view. 

To  understand  the  mismatch,  consider  the  following  equation  derived  from  the  expansion  law,  again  in  the 
language  of  CCS: 

fix  (A  =  a.X)  |  fix(X  =  b.X)  =  fix(X  =  a.X  +  b.X).  (2) 

Here,  we  use  recursion  expressions  to  define  agents  with  infinite  behaviour.  Thus,  fix(X  =  a.X)  is  an  agent 
that  forever  iterates  a,  fix(A'  =  b.X )  one  that  forever  iterates  b,  and  flx(A  =  a. A  +  b.X)  one  that  at  each 
iteration  does  either  a  or  b ,  indeterminately  choosing  between  the  two.  But  whereas  every  infinite  sequence 
over  {a,  b}  is  a  trace  of  a  possible  execution  of  fix(A  =  a. A  +  b.X),  not  every  such  sequence  is  consistent 
with  what  could  be  perceived  by  a  sequential  observer  of  fix(X  =  a. A)  |  fix(A  =  b.X).  Indeed,  only  those 
sequences  that  contain  both  an  infinite  number  of  a’s  and  an  infinite  number  of  fr’s  are.  For  if 
fix(X  =  a.  A)  and  fix(X  =  b.X)  execute  in  parallel,  each  of  them  must  eventually  perform  an  infinite 
number  of  actions,  and  each  of  these  actions  must  eventually  be  perceived  by  any  sequential  observer  of 
fix(X  =  a.X)  |  fix(A'  =  b.X). 

All  this  goes  unnoticed  in  the  finite  case,  because  interleaving  the  executions  of  two  finite  agents  is 
ultimately  equivalent  to  indeterminately  alternating  between  the  two.  But  the  expansion  law  blindly 
carried  that  equivalence  over  to  the  infinite  case.  And  this  created  confusion.  Interleaving  became 
synonymous  with  bounded  indeterminacy  (see  [24,  chap.  9]),  and  the  observational  view  was  robbed  of  its 
power  to  express  properties  like  fairness  (see  [55])  or  the  finite  delay  property  (see  [34])  (e.g.,  see  [50]). 

Of  course,  it  is  not  the  expansion  law  per  se  that  is  to  blame  for  this  confusion.  In  order  to  develop  an 
observational  theory  of  processes  of  some  kind,  one  must  decide  what  the  unit  of  observation  should  be. 

For  a  theory  based  on  the  concept  of  labelled  transition  system,  this  unit  is  effectively  fixed  to  what  can  be 
represented  by  a  single  transition:  a  single  action  or  event.  But  at  that  scale  of  observation,  it  is  only  the 
local  properties  of  the  behaviour  of  a  process  that  carry  over  to  the  model.  Non-local  properties,  specifically 
those  concerning  infinite  executions  of  the  process,  do  not.  For  examples  of  the  first  kind,  one  may  look  at 
safety  properties,  such  as  mutual  exclusion  or  deadlock  freedom,  whereas  for  examples  of  the  second  kind, 
one  may  look  at  liveness  properties,  such  as  termination  or  guaranteed  service  (see  [38],  [40],  [9]). 

To  risk  an  analogy,  we  might  think  of  a  labelled  transition  system  as  an  intuitionistic  approach  to  a  model 
of  a  process.  For  an  intuitionist,  an  infinite  execution  cannot  possibly  claim  existence  as  a  completed 
totality  of  actions  or  events.  It  is  only  “a  manifold  of  possibilities  open  towards  infinity;  it  remains  forever 
in  the  status  of  creation,  but  is  not  a  closed  realm  of  things  existing  in  themselves”  (see  [63,  p.  9]).  And 
this  rejection  of  the  notion  of  actual  infinity  is  detrimental  to  the  expressiveness  of  the  approach.  A  process 
is  demoted  to  a  graph,  and  every  path  through  that  graph  is  promoted  to  an  execution  of  that  process. 
This  is  what  renders  indeterminacy  bounded,  and  the  real  reason  behind  the  aforementioned  confusion. 

We  prefer  what  we  might  say  is  a  more  classical  approach,  where  we  fix  the  unit  of  observation  at  the  level 
of  a  complete  execution  of  a  process.  And  for  that,  we  need  a  different  kind  of  mathematical  structure.  The 
purpose  of  this  work  then  is  to  introduce  a  new  kind  of  system,  in  which,  instead  of  labelled  transitions,  one 
has,  essentially,  sequences  of  labelled  transitions.  We  call  systems  of  this  kind  labelled  execution  systems. 

By  changing  the  unit  of  observation,  we  change  the  kind  of  experiment  that  we  may  use  to  investigate  the 
behaviour  of  an  agent  (e.g.,  see  [43,  pp.  10-12]).  In  principle,  we  can  adapt  Milner’s  argument  to  this  new 
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kind  of  experiment,  and  weather  permitting,  identify  the  behaviour  of  an  agent  with  what  we  would  call 
the  branching  structure  of  a  labelled  execution  system  modelling  that  agent.  But  although  motivated  by 
process  algebra  and  its  observational  approach  to  concurrency  theory,  this  work  is  not  about  the  use  of 
labelled  execution  systems  as  models  of  behaviour.  Our  goal  here  is  to  develop  a  thorough  understanding 
of  what  this  so-called  “branching  structure”  of  a  labelled  execution  system  is,  more  or  less  independently  of 
what  it  might  be  used  to  model. 

It  is  instructive  to  look  back  on  how  our  understanding  of  the  notion  of  branching  structure  evolved  in  the 
case  of  labelled  transition  systems.  The  notion  originated  in  Milner’s  work,  albeit  in  an  indirect  way:  two 
systems  were  understood  to  have  the  same  branching  structure  just  as  long  as  they  were  “observationally 
equivalent” .  Its  use  as  a  characterization  of  the  behaviour  of  a  communicating  agent  as  experienced  by  an 
external  observer  experimenting  on  that  agent  generated  some  controversy  (e.g.,  see  [15]),  but  the  notion 
itself  proved  to  be  an  important  one,  both  in  theory  and  practice.  Soon  after  its  inception,  it  was  honed  by 
David  Parks’s  concept  of  bisimilarity  (see  [51]),  and  before  long,  parlayed  through  Peter  Aczel’s  work  (see 
[3],  [6])  into  an  overarching  theory  of  universal  coalgebra  (e.g.,  see  [58],  [28]).  This  produced  not  only  a 
direct  formalization  of  the  notion,  in  the  shape  of  the  concept  of  final  coalgebra,  but  also  a  purely 
mathematical  justification  for  it.  It  was  now  possible  to  speak  of  the  notion  as  part  of  an  extensional 
approach  to  systems,  rather  than  an  observational  view  of  processes,  and  perhaps  more  importantly, 
expand  its  scope  to  any  kind  of  mathematical  structure  amenable  to  coalgebraic  treatment. 

Here,  we  subject  our  newly  introduced  systems  to  such  treatment.  We  find  that  the  theory  of  coalgebra 
offers  a  convenient  and  powerful  analytical  framework  for  studying  these  systems  and  working  out  their 
relationship  with  the  more  traditional  transition-based  systems. 

The  main  contributions  of  this  work  are  the  following: 

•  we  define  labelled  execution  systems  (see  Definition  4.1); 

•  we  represent  labelled  execution  systems  coalgebraically  (see  Definition  4.2  and  Proposition  4.3),  and 
use  that  representation  to  obtain,  in  a  canonical  way,  a  suitable  concept  of  bisimilarity  among  such 
systems  (see  Proposition  4.4,  Definition  4.5,  and  Proposition  4.6); 

•  we  show  that  for  the  obtained  concept  of  bisimilarity  to  agree  with  the  intuitive  understanding  of 
equivalence  of  branching  structure  that  one  has  for  labelled  execution  systems,  two  properties  are 
necessary:  suffix  closure  and  fusion  closure  (see  Section  4.3); 

•  we  truncate  the  executions  of  a  labelled  execution  system  to  get  a  uniquely  determined  underlying 
labelled  transition  system,  and  prove  that  bisimilarity  among  labelled  execution  systems  implies 
bisimilarity  among  their  respective  underlying  labelled  transition  systems  (see  Theorem  4.13); 

•  we  show  that  the  converse  fails  if  any  of  the  following  four  properties  fails:  suffix  closure,  fusion 
closure,  limit  closure,  and  what  we  call  impossibility  of  indeterminate  termination  (see  Section  4.5); 

•  we  prove  that  essentially  these  four  properties  constitute  a  complete  characterization  of  what  we  call 
generable  labelled  execution  systems,  namely  labelled  executions  systems  that  are  generated  from 
their  respective  underlying  labelled  transition  systems  (see  Theorem  4.24); 

•  we  prove  that  bisimilarity  among  generable  labelled  execution  systems  is  equivalent  to  bisimilarity 
among  their  respective  underlying  labelled  transition  systems  (see  Theorem  4.32),  rendering  the 
characterization  of  generable  labelled  execution  systems  a  characterization  of  the  difference  in 
complexity  of  branching  structure  between  arbitrary  labelled  executions  systems  and  labelled 
transition  systems  (see  also  Theorem  4.25,  Corollary  4.26  and  Theorem  4.33). 

The  rest  of  this  document  is  organized  into  five  sections.  In  Section  2,  we  provide  a  brief,  but  rather 
comprehensive,  overview  of  the  theory  of  universal  coalgebra.  In  Section  3,  we  review  the  concept  of 
labelled  transition  system  and  Park’s  concept  of  bisimilarity,  and  go  over  their  coalgebraic  representation. 
The  main  body  of  this  work  is  in  Section  4,  where  we  define  labelled  execution  systems,  work  out  their 
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coalgebraic  representation,  and  use  that  representation  to  study  their  branching  structure,  and  characterize 
their  relationship  with  labelled  transition  systems.  In  Section  5,  we  discuss  related  work.  We  conclude  in 
Section  6  with  a  few  comments  on  the  implications  of  our  results,  and  some  directions  for  future  work. 

We  would  like  to  finish  this  introduction  with  a  few  remarks. 

First,  throughout  this  work,  we  maintain  a  formal  distinction  between  systems  and  their  coalgebraic 
representations.  This  is  done  for  the  benefit  of  the  non-coalgebraist,  who  we  think  could  use  a  more  careful 
exposition  of  the  correspondence  between  the  two,  and  the  more  application-oriented  reader,  who  might 
only  be  interested  in  results  on  systems. 

Second,  working  with  coalgebras,  we  will  need  to  make  reference  to  a  few  common  concepts  from  category 
theory,  e.g.,  the  concepts  of  category,  functor,  natural  transformation,  etc.,  and  we  will  assume  some 
minimal  level  of  familiarity  with  these  concepts  on  the  reader’s  part.  For  a  gentle  introduction  to  such 
concepts,  and  category  theory  in  general,  we  refer  to  [52]. 

And  third,  we  choose  the  category  of  all  classes  and  all  class  functions  between  them  as  the  underlying 
category  of  our  coalgebraic  framework.  This  is  a  “surprisingly  coalgebra- friendly  category”  (see  [8,  p.  3]), 
which  is  one  of  the  main  reasons  for  choosing  to  work  with  it.  And  while  it  is  possible  to  avoid  such  a 
super-large  category,  by  only  considering  endofunctors  that  are  bounded  in  some  suitable  sense,  we  think 
that  classes  provide  for  a  cleaner,  unobscured  presentation  of  our  ideas  (see  also  discussion  at  end  of 
Section  3).  Any  concerns  of  foundational  nature  regarding  the  excessive  size  of  this  category  can  be 
addressed  in  one  way  or  another  (e.g.,  see  [41,  chap.  I]  or  [7,  chap.  2]),  but  a  thorough  treatment  would  be 
out  of  place  here,  and  in  any  case,  wc  will  avoid  impredicative  constructions  and  comprehension  principles 
that  test  the  consistency  of  the  theory. 


2  Background 

In  this  section,  we  briefly  overview  the  theory  of  universal  coalgebra.  We  deliberately  include  here  more  of 
the  theory  than  is  strictly  needed  for  the  purposes  of  this  work,  what  we  think  is  justified  on  the  following 
grounds:  (i)  we  think  that  the  exposure  of  the  broader  community  to  the  theory  is,  regrettably,  at  best 
limited,  and  (ii)  we  believe  that  the  reader  will  be  able  to  better  appreciate  our  methods  and  results  once 
equipped  with  a  more  rounded  view  of  the  theory.  For  a  more  detailed  introduction,  we  refer  the  interested 
reader  to  [58]  or  [28]. 

2.1  Coalgebras 

Assume  an  endofunctor  F  on  Class.1 

Definition  2.1.  An  F- coalgebra  is  an  ordered  pair  (C,  7)  such  that  the  following  are  true: 

(a)  C  is  a  class; 

(b)  7  is  a  class  function  from  C  to  F(C). 

In  general,  an  I7, -coalgebra  (C,  7)  will  represent  one  or  several  rules  for  decomposing  things  from  C,  as 
determined  by  7,  into  particular  combinations  of  things  from  C,  as  encoded  by  F. 

Assume  an  F-coalgebra  (C,  7). 

1  We  write  Class  for  the  category  whose  objects  are  all  the  classes,  and  arrows  all  the  class  functions2. 

2  A  class  function  f  is  an  ordered  triple  {D,  C.  G)  such  that  D  is  a  class,  C  is  a  class,  G  C  D  X  C,  and  for  every  d  £  D, 
there  is  exactly  one  c  such  that  { d ,  c)  £  G.  We  write  dom  /  for  D.  cod  /  for  C,  and  graph  /  for  G.  We  call  dom  /  the  domain  of 
/,  cod  /  the  codomain  of  /,  and  graph  /  the  graph  of  /.  We  write  /  :  Ci  — >  C2  if  and  only  if  dom  f  =  C\  and  cod  /  =  C'2 . 
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We  call  C  the  carrier  of  (C,  7),  and  7  the  cooperation  of  (C,  7). 
We  say  that  (C,  7)  is  small  if  and  only  if  C  is  a  set. 


2.2  Homomorphisms 

Assume  F-coalgebras  (Ci,  71)  and  (C2,72). 

Definition  2.2.  A  homomorphism  from  (Ci,7i)  to  ((72,72)  is  a  class  function  ft  :  Cl  — >  C2  such  that 
F(h)  o  7!  =  72  o  ft, 

or  equivalently,  the  following  diagram  commutes: 

Ci  - - - >  C2 


71 


72 


F(Ci) 


F(h) 


F(C2) 


A  homomorphism  from  one  F-coalgebra  to  another  is  a  structure-preserving  map  that  carries  the 
decomposition  patterns  of  the  first  coalgebra  to  those  of  the  second.  In  particular,  it  establishes  a 
similarity  of  structure  between  its  domain  and  range  (see  Theorem  2.10). 

We  say  that  ft  is  an  endomorphism  on  (C,  7)  if  and  only  if  ft  is  a  homomorphism  from  (C,  7)  to  (C,  7). 

We  say  that  (Ci,  71)  is  a  homomorphic  image  of  (C2,72)  if  and  only  if  there  is  a  surjective  homomorphism 
from  (C2, 72)  to  (Ci,7i). 

We  say  that  ft  is  an  isomorphism  between  (Cl,  71)  and  (C2,72)  if  and  only  if  ft  is  a  bijective 
homomorphism  from  (Ci,7i)  to  (C2,72). 

Proposition  2.3.  If  ft  is  an  isomorphism  between  (Ci.,71)  and  (C2,72),  fften  ft^1  is  an  isomorphism 
between  (C2,72)  and  (Cl, 71). 

Proof.  See  [58,  prop.  2. 3]. 3  □ 

We  say  that  (Cl,  71)  and  (C2,72)  are  isomorphic  if  and  only  if  there  is  an  isomorphism  between  (Ci,7i) 
and  (C2, 72). 

Isomorphic  P-coalgebras  are  structurally  identical,  and  for  all  practical  purposes,  may  be  thought  of  as  the 
same  object. 

We  say  that  ft  is  an  automorphism  on  (C,  7)  if  and  only  if  ft  is  an  isomorphism  between  (C,  7)  and  (C,  7) . 
The  following  is  easy: 

Proposition  2.4.  The  following  are  true: 

(a)  id  C  is  an  automorphism  on  (C,  7); 

3  Quite  often,  we  shall  cite  results  from  bibliographic  references  in  our  proofs.  And  in  many  cases,  these  results  will  have 
been  stated  and  proved  in  a  different  setting.  For  example,  in  [58],  Rutten  works  with  the  category  Set  of  all  sets  and  all 
functions  between  them,  not  Class.  But  in  all  cases,  their  proofs  will  remain  valid  in  our  setting  here,  unchanged  or  only 
trivially  modified. 
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(b)  if  hi  is  a  homomorphism  from  (61,71)  to  (6,7),  and  is  a  homomorphism  from  (6,  7)  to  (62,72), 
then  /12  0  hi  is  a  homomorphism  from  (6  1,71)  to  (62,72)- 

We  write  6-Coalg  for  the  category  whose  objects  are  all  the  6-coalgebras,  and  arrows  all  the 
homomorpliisms  from  one  6-coalgebra  to  another. 


2.3  Bisimulations 


Definition  2.5.  A  bisimulation  between  (61,71)  and  (62,72)  is  a  binary  class  relation4  B  :  61  0  62  such 
that  there  is  an  6-coalgebra  (graph  B1  ft)  such  that  dpr  6  is  a  homomorphism  from  (graph  B,  (3)  to  (61,71), 
and  cpr6  is  a  homomorphism  from  (graph  B,  /3)  to  (62, 72), 5  or  equivalently,  the  following  diagram 
commutes: 


Ci 


F(Ci) 


dpr  B 


F(dprB) 


graph  B 


6(graph  B) 


cpr  B 


F(cprB) 


62 


6(62) 


We  say  that  Ci  and  C2  are  bisimilar  among  (61,71)  and  (62,72)  if  and  only  if  there  is  a  bisimulation  B 
between  (61,71)  and  (62,72)  such  that  ci  B  C2. 

By  Definition  2.5,  a  binary  class  relation  between  two  6-coalgebras  is  a  bisimulation  just  as  long  as  we  can 
impart  its  graph  with  the  structure  of  an  6-coalgebra  that  turns  the  projection  maps  from  the  graph  to  the 
carriers  of  the  two  6-coalgebras  into  homomorphisms.  But  really,  there  is  nothing  particularly  special 
about  such  an  6-coalgebra. 

Theorem  2.6.  B  is  a  bisimulation  between  (6 1,71)  and  (62,72)  if  and  only  if  there  is  an  F-coalgebra 
(6,7),  a  homomorphism  hi  from  (6,7)  to  (61,71),  and  a  homomorphism  /12  from  (6,7)  to  (62,72),  such 
that 


B  =  \  1  ;  /i2.6 

Proof.  See  [58,  lem.  5.3]  and  [28,  thm.  5.11].  □ 

Assume  F-coalgebras  and  (6*2,72). 

The  following  is  immediate: 

Corollary  2.7.  If  B  is  a  bisimulation  between  (6*1,71)  and  (6*2,72)7  h\  a  homomorphism  from  (6*1,71)  to 
(61,71)7  and  /i2  a  homomorphism  from  (6*2,72)  to  (6*2,72)7  then  hf1  ]B\h2  is  a  bisimulation  between 
(C'iHi)  and  (6*2,72). 

4  A  binary  class  relation  R  is  an  ordered  triple  ( D ,  C,  G)  such  that  D  is  a  class,  C  is  a  class,  and  G  C  D  x  C.  We  write 
dom  R  for  D ,  cod  R  for  C ,  and  graph  R  for  G.  We  call  dom  R  the  domain  of  R ,  cod  R  the  codomain  of  R,  and  graph  R  the 
graph  of  R.  We  write  R  :  C\  «-»■  C2  if  and  only  if  dom  R  =  C\  and  cod  R  =  C2. 

5  For  every  binary  class  relation  R ,  we  write  dpr  R  for  a  class  function  from  graph  R  to  dom  R  such  that  for  any 
(ci ?  c.2)  £  graph  R ,  (dpr  R)((ci,  C2))  =  ci,  and  cpr  R  for  a  class  function  from  graph  R  to  cod  R  such  that  for  any 

(^1,02)  £  graphic,  (cpr  JR)((ci,  C2))  =  C2.  We  call  dp  r  R  the  domain  projection  map  of  R,  and  cp  rR  the  codomain  projection 
map  of  R. 

6  For  every  binary  class  relation  R±  and  R2  such  that  cod  Ri  =  dom  R2 ,  we  write  R\  ;  R2  for  a  binary  class  relation 
between  dom  Ri  and  cod  R2  such  that  for  any  ci  £  dom  Ri  and  any  C2  £  cod  R2 ,  ci  (Ri  ;  R2)  C2  if  and  only  if  there  is  c  such 
that  ci  Ri  c  and  c  R2  C2 . 
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Theorem  2.8.  For  every  class-indexed  family  {Bi}ieI  of  bisimulations  between  (61,71)  and  (62,72),  there 
is  a  bisimulation  B  between  (6  1,71)  and  (62,72)  such  that 

graph  B  =  1J  graph^. 

iai 

Proof.  See  [28,  thm.  5.6].  D 

Definition  2.5  was  introduced  in  [6]  as  a  generalization  of  the  concept  of  bisimulation  between  labelled 
transition  systems  (see  Proposition  3.6  and  3.7).  It  is  supposed  to  capture  equivalence  of  structure.  But  to 
what  extent  does  it? 

A  disturbing  fact  is  that,  unlike  bisinrilarity  among  labelled  transition  systems  (see  Section  3),  the 
coalgebraic  concept  of  bisimilarity  is  not,  in  general,  an  equivalence  concept. 

Example  2.9.  Let  F  be  an  endofunctor  on  Class  that  assigns  to  every  class  6  the  class 

6(6)  =  {(ci,c2,c3)  |  {ci,c2,c3}  C  6  and  |{ci,c2,c3}|  <  3}, 

and  to  every  class  function  /  :  61  — >•  62  a  class  function 

F(f)  :  F(Ci)  F(62) 

such  that  for  every  (ci,c2,c3)  £  6(61), 

6(/)((ci,c2,c3))  =  (/(ci),/(c2),/(c3)). 

Let  Si  =  {0, 1},  and  71  be  a  function  from  Si  to  F(S  1)  defined  by  the  following  mapping: 

0^  (0,0,1); 

1^(0, 1,1). 

Let  S2  =  {0},  and  72  be  the  unique  function  from  S2  to  6(S2),  namely  a  function  from  S2  to  F(S2)  defined 
by  the  following  mapping: 

0  ^  (0,0,0). 

Let  h  be  the  unique  function  from  Si  to  S2,  namely  a  function  from  Si  to  S2  defined  by  the  following 
mapping: 

0^0; 

1  1 — y  0. 

h  is  trivially  a  homomorphism  from  (Si,  71)  to  ($2,72)-  Thus,  by  Theorem  2.6,  0  and  /i(0),  and  similarly,  1 
and  h(  1),  are  bisimilar  among  (Si, 71)  and  (S2,72)  (see  also  Theorem  2.10).  But  whereas  h( 0)  and  h(  1)  are 
equal,  and  thus,  trivially  bisimilar  in  (S2,72),  0  and  1  are  not  bisimilar  in  (Si,  71),  lest  there  be  a  binary 
relation  B  on  Si,  and  an  6-coalgebra  (graph  B ,  (3)  such  that  (0, 1)  £  graph  B  and 

^((0,1))  =  ((0,0),  (0,1),  (1,1)). 
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This  should  cast  serious  doubt  on  the  usefulness  of  the  coalgebraic  concept  of  bisimulation:  how  can  one 
hope  to  capture  all  of  equivalence  of  structure  using  a  concept,  the  induced  similarity  notion  of  which  is 
not,  in  general,  transitive? 

This  discrepancy  was  not  lost  on  Aczel  and  Mendler,  who,  also  in  [6],  generalized  the  coalgebraic  concept 
of  bisimulation  further  into  that  of  what  they  called  a  precongruence ,  or  in  the  case  of  an  equivalence  class 
relation,  a  congruence.  This  is  a  technically  more  complicated  concept:  to  determine  whether  a  binary  class 
relation  R  on  the  carrier  of  an  E-coalgebra  (C,  7)  is  a  precongruence  on  (C,  7) ,  one  has  to  invoke  a  quotient 
of  C  with  respect  to  the  equivalence  class  relation  generated  by  R,  compose  its  image  under  F  with  7,  and 
test  whether  R  is  contained  in  the  equivalence  kernel  of  the  composite.  But  it  is  also  an  intuitively  more 
warranted  concept,  exactly  formalizing  the  idea  of  a  class  relation  that  is  compatible  with  the  cooperation 
of  a  coalgebra.  Every  bisimulation  on  an  E-coalgebra  is  a  precongruence,  but  not  every  precongruence  on 
an  E-coalgebra  is  a  bisimulation.  In  fact,  the  endofunctor  that  we  used  in  Example  2.9  is  one  that  was 
devised  in  [6]  for  the  express  purpose  of  demonstrating  this  separation  between  the  two  concepts. 

Here,  mostly  for  the  purpose  of  accessibility,  we  have  decided  to  follow  the  approach  of  Rutten  in  [58],  who 
advocates  the  coalgebraic  concepts  of  bisimulation  and  bisimulation  equivalence  as  formal  duals  to  the 
algebraic  ones  of  substitutive  relation  and  congruence.  His  tacit  preference  over  the  more  appropriate 
concepts  of  precongruence  and  congruence  of  [6]  is  partly  justified  by  the  the  fact  that  more  can  be  proved 
about  bisimulations  and  bisimulation  equivalences  than  precongruences  and  congruences.  No  matter:  most 
of  the  theory  in  [58]  is  developed  under  the  assumption  that  the  endofunctor  F  preserves  weak  pullbacks,  a 
technical  condition  under  which  the  concepts  of  bisimulation  and  precongruence  coincide.  And  although  we 
will  never  need  to  make  explicit  mention  of  it,  every  particular  endofunctor  considered  here  will  actually 
satisfy  this  condition,  with  the  sole  exception  of  that  in  Example  2.9. 

That  said,  the  inadequacy  of  the  concept  of  bisimulation  is  not  felt  in  any  but  the  most  contrived  cases. 

For  all  intents  and  purposes,  bisimilarity  is  a  sufficient  measure  of  equivalence  of  structure.  The  following  is 
a  case  in  point: 

Theorem  2.10.  h  is  a  homomorphism  from  (Ci,7i)  to  ((72,72)  if  and  only  if  h  is  a  class  function  from 
C\  to  C‘2,  and  a  bisimulation  between  (C\,"fi)  and  (<72,72)- 

Proof.  See  [58,  thm.  2.5].  □ 

In  a  word,  homomorphisms  are  functional  bisimulations. 


2.4  Subcoalgebras 


Definition  2.11.  A  subcoalgebra  of  (<7,  7)  is  an  E-coalgebra  (C1 , 7')  such  that  C'  C  (7,  and  C'  C  is  a 
homomorphism  from  (C' ,  7')  to  (C,  7), 7  or  equivalently,  the  following  diagram  commutes: 


a 


F(C) 


C'  ■ 


F(C'  ^  C) 


C 


F(C) 


7  For  every  class  Ci  and  C2  such  that  Ci  C  C2,  we  write  Ci  ^  C2  for  a  function  from  C 1  fo  C2  such  that  for  any  ci  G  Ci, 
(Ci  e— »  C2XC1)  =  ci .  We  call  Ci  e— »  C2  the  inclusion  map  from  Ci  to  C2. 


A  subcoalgebra  of  an  P-coalgebra  is  a  part  of  that  F-coalgebra,  that  is  closed,  in  a  suitably  generalized 
sense,  under  the  decomposition  rules  of  the  latter. 

We  write  (C',  7')  <  (C,  7)  if  and  only  if  (C' ,  7')  is  a  subcoalgebra  of  (C,  7). 

As  one  might  expect,  the  cooperation  of  a  subcoalgebra  is  uniquely  determined  by  its  carrier. 

Proposition  2.12.  If  (Ci.,71)  <  (C,  7),  (C2,72)  <  (C,  7),  and  Ci  =  C2,  then  71  =  72. 

Proof.  See  [58,  prop.  6.1].  □ 

The  following  can  be  used  as  criteria  for  choosing  an  eligible  carrier: 

Theorem  2.13.  If  h  is  a  homomorphism  from  (Ci,  71)  to  (C2,72),  then  there  is  a  class  function 
p  :  ran  h  — >•  P(ran  h)  such  that  (ran  h,  p)  <  (C2, 72) -8 

Proof.  See  [58,  thm.  6.3].  □ 

Theorem  2.14.  For  every  class-indexed  family  {(Ci,  'yi)}iej  of  subcoalgebras  of  (C,7),  f/ie?’e  is  a  class 
function  v  :  |J ,ej  C  -)•  -F(Uie/ C)  ^dt  (Uie/^w)  <  (C,7). 

Proof.  See  [28,  thm.  4.7].  □ 

Finally,  every  homomorphism  factorizes,  in  a  unique  fashion,  through  every  subcoalgebra  of  its  codomain 
C-coalgebra  that  contains  its  range. 

Proposition  2.15.  If  h  is  a  homomorphism  from  (Ci,7i)  to  (C2,72),  and  (C,  7)  is  a  subcoalgebra  of 
(C2,72)  such  that  ran  h  C  C,  then  there  is  exactly  one  homomorphism  h!  from  (C  1,71)  to  (C,  7)  such  that 

h  =  (C^C2)  o  //, 

or  equivalently,  the  following  diagram  commutes: 

(Cl, 71)  - - - >  (C2,72) 

h'  ^  s.  C  ^  C2 

V.7) 


Proof.  See  [58,  prop.  6.5].  □ 

Theorem  2.14  and  Proposition  2.15  can  be  used  to  arrange  the  subcoalgebras  of  an  F-coalgebra  into  a 
complete  lattice  (see  [28,  cor.  4.9]). 

We  conclude  this  brief  account  on  subcoalgebras  with  The  Small  Subcoalgebra  Lemma  of  [6],  which  is  in 
fact  equivalent  to  [8,  thm.  2.2],  namely  the  surprising  fact  that  every  endofunctor  on  Class  is  set-based.9 

Lemma  2.16.  For  every  subset  S  of  C ,  there  is  a  small  F -coalgebra  ( C such  that  S  C  C  and 

(C',7')<(C,7). 

8  For  every  class  function  /,  we  write  ran  /  for  the  class  {y  |  there  is  x  E  dom  /  such  that  y  =  f(x)}.  We  call  ran  /  the 
range  of  /. 

9  An  endofunctor  F  on  Class  is  set-based  if  and  only  if  for  every  class  C  and  any  c  E  F(C ),  there  is  a  subset  S  of  C,  and 
s  E  F(S),  such  that  c  =  F(S  >  C)(s). 
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Proof.  See  [6,  lem.  2.2]  and  [8,  thm.  2.2]. 


□ 


2.5  Direct  sums 

Assume  a  class-indexed  family  {(Ci,  7»)}iej  of  F-coalgebras. 

Definition  2.17.  The  direct  sum  of  is  an  F-coalgebra  (C,  7)  such  that  the  following  are  true: 

(a)  C  is  the  disjoint  union10  of  {Ci}ieI\ 

(b)  7  is  a  class  function  from  C  to  F(C)  such  that  for  any  j  £  I  and  any  c  £  Cj, 

7((injj  C*)(c))  =  jFXinjj  ^  Ci)hj(c))-n 

i£l  iel 

The  concept  of  direct  sum  lifts  the  concept  of  disjoint  union  from  classes  to  F-coalgebras,  allowing  us  to 
merge  different  P-coalgebras  into  a  single  whole. 

We  write  Jfiei  (Culi)  for  the  direct  sum  of  {((7*,7i)}iej. 

Notice  that  for  any  j  £  I,  the  canonical  injection  map  inj;  T  Ci  is  by  definition  a  homomorphism  from 

(Cj,  Ij)  to  Eiez  (Ci,  7i)- 

The  most  important,  and  practically,  defining  property  of  the  direct  sum  is  the  following: 

Proposition  2.18.  For  every  class-indexed  family  {hi}iGl  such  that  for  any  i  £  I,  hi  is  a  homomorphism 
from  ( Ci,ji )  to  (C,  7},  there  is  exactly  one  homomorphism  h  from  J2iei  (Ci,li)  to  ((7,7)  such  that  for  any 
iel, 


hj  =ho  injj  ^  Cj, 
iei 


or  equivalently,  the  following  diagram  commutes: 


(Cj 


Proof.  See  [28,  lem.  4.1],  □ 


2.6  Final  coalgebras 

We  say  that  (C,  7)  is  final  in  P-Coalg  if  and  only  if  for  every  P-coalgebra  (C ,  7'),  there  is  exactly  one 
homomorphism  from  (C','y')  to  (C,  7). 

10  For  every  class-indexed  family  f  Ci  [,g  /  of  classes,  the  disjoint  union  of  {C/:  1  is  the  class  {(i,c)  |  i  £  I  and  c  £  Ci}.  We 

write  Yliei  Ci  for  the  disjoint  union  of 

11  For  every  class-indexed  family  of  classes  and  any  j  e  I,  we  write  inj^  Yliei  Ci  for  a  function  from  Cj  to  Yliei  Ci 

such  that  for  any  c  G  Cj,  (inj^  Yli^i  Ci){c)  =  (j,  c).  We  call  inj^  Yli^i  Ci  the  canonical  injection  map  from  Cj  to  Yliei  Ci- 
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We  use  the  word  “final”  here  instead  of  the  word  “terminal”  only  to  conform  with  common  practice  in  the 
germane  literature:  an  F-coalgebra  is  final  in  F-Coalg  if  and  only  if  it  is  a  terminal  object  of  F-Coalg. 

Notice  that  all  final  F-coalgebras  are  isomorphic  to  one  another,  lest  there  be  another  endomorphism, 
apart  from  the  identity  map,  on  any  of  them. 

Final  F-coalgebras  are  interesting  because  they  are  complex  enough  to  subsume  the  structure  of  every 
other  F-coalgebra,  but  coarse  enough  to  do  so  only  modulo  equivalence  of  structure. 

We  say  that  ((7,  7)  is  complete  in  F-Coalg  if  and  only  if  for  every  F-coalgebra  (C .  7')  and  any  c'  £  C' , 
there  is  exactly  one  c  £  C  such  that  d  and  c  are  bisimilar  among  (C",  7')  and  (C,  7). 

Theorem  2.19.  The  following  are  equivalent: 

(a)  (Cj'y)  is  final  in  F-Coalg; 

(b)  for  every  small  F-coalgebra  (C",  7'),  there  is  exactly  one  homomorphism  from  {C' ,nf)  to  (C,  7); 

(c)  (C,  7)  is  complete  in  F-Coalg; 

(d)  for  every  small  F-coalgebra  (Cr,  7'),  and  any  c'  £  C' ,  there  is  exactly  one  c  £  C  such  that  d  and  c  are 
bisimilar  among  (C',y)  and  (C,  7). 

Proof.  Trivially,  (a)  implies  (b),  and  (c)  implies  (d).  Therefore,  it  suffices  to  prove  that  (b)  implies  (c),  and 
(d)  implies  (a). 

Suppose  that  for  every  small  F-coalgebra  (C",7/),  there  is  exactly  one  homomorphism  from  ( C',"/' )  to 

<cw>. 

Assume  an  F-coalgebra  (C ,  7'). 

Assume  d  £  C . 

By  Lemma  2.16,  there  is  a  small  F-coalgebra  (C",  7")  such  that  d  £  C"  and  ((7",  7")  <  (C1, 7').  By 
hypothesis,  there  is  exactly  one  homomorphism  h  from  (C",  7"}  to  (C,  7). 

Let  R  =  (C"  C")_1 ;  h. 

Then,  by  Theorem  2.6,  R  is  a  bisimulation  between  (C' ,  7')  and  (C,  7).  And  clearly,  d  R  h[c').  Thus,  there 
is  c  £  (7,  namely  h(d),  such  that  d  and  c  are  bisimilar  among  (C",  7')  and  (C,  7). 

Suppose,  toward  contradiction,  that  there  are  ci,C2  £  C  such  that  c'  and  ci  are  bisimilar  among  (C ,  7') 
and  (C,  7),  d  and  C2  are  bisimilar  among  (Cr ,  7')  and  ((7,7),  and  C\  ^  c^-  Then  there  are  bisimulations  Bi 
and  B2  between  (C .  7')  and  (C,  7)  such  that  c'  Bi  C\  and  d  B2  c2.  By  Theorem  2.8,  there  is  a  bisimulation 
B  between  (C",7')  and  ((7,7)  such  that 

graph  B  =  graph  Bi  U  graph  B2. 

Let  (graph  B,/3)  be  an  F-coalgebra  such  that  dprF  is  a  homomorphism  from  (graph  B,ff)  to  (CA  7'),  and 
cprF  one  from  (graph  B,/3)  to  ((7,7). 

By  Lemma  2.16,  there  is  a  small  F-coalgebra  ( <7,/3 ')  such  that  {(c',ci),  (c',C2)}  C  G  and 
{G,  ft)  <  (graph  B,p). 

Let  B'  be  a  binary  class  relation  between  C'  and  (7  such  that 
graph  B'  =  G. 

Clearly,  B'  is  a  bisimulation  between  ( C ',7')  and  ((7,7). 
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By  Theorem  2.13,  there  is  a  class  function  p  :  ran  dpr  B'  — >•  F(ran  dpr??')  such  that 
(randpr B',p)  <  (C',7'). 

And  by  Proposition  2.15,  there  is  exactly  one  homomorphism  ir  from  (graph  B\  f3)  to  (ran  dpr  B' ,  p)  such 
that 

dpr  B'  =  (ran  dpr  B'  ^  C)  o  7 r. 

Since  (graph  ??',  /?')  is  small,  (ran  dpr  ??',  p)  is  small.  Thus,  by  hypothesis,  there  is  exactly  one 
homomorphism  h'  from  (ran  dpr??',p)  to  (C,  7).  Then  both  h'  on  and  cpr??'  are  homomorphisms  from 
(graphs',/?')  to  (C,  7).  However, 

{ti  o7r)((c',Ci))  =  h'(c')  =  (/i'o7r)((c',c2)) 

and 

(cprS')((c',Ci))  =  Ci  ±  c2  =  (cprS')((c',c2)), 
and  thus, 

h!  o  7r  7^  cpr  S', 
contrary  to  our  hypothesis. 

Therefore,  there  is  at  most  one  c  £  C  such  that  d  and  c  are  bisimilar  among  (C',  7')  and  (C,  7). 

Thus,  there  is  exactly  one  c  €  C,  namely  ft(c'),  such  that  c'  and  c  are  bisimilar  among  (C1 , 7')  and  (C,  7). 
Thus,  by  generalization,  (C,  7)  is  complete  in  f-Coalg. 

We  have  thereby  proved  that  (b)  implies  (c).  It  remains  to  prove  that  (d)  implies  (a). 

Suppose  that  for  every  for  every  small  S-coalgebra  (C", 7'),  and  any  c'  €  C",  there  is  exactly  one  c  £  C 
such  that  d  and  c  are  bisimilar  among  (C",  7')  and  (C,  7). 

Assume  an  F-coalgebra  (C",  7"). 

For  every  small  subcoalgebra  (C",  7')  of  (C",7"),  let  be  a  class  function  from  (C",  7')  to  (C, 7)  such 

that  for  any  d  £  C",  h/c>  y)(c')  is  the  unique  c  £  C  such  that  d  and  c  are  bisimilar  among  (C',7')  and 
(C,  7>- 

Let  He  a  binary  class  relation  between  (C", 7")  and  (C',7)  such  that 

graph  h  =  (J  {graph  \  (C',7')  is  a  small  subcoalgebra  of  (C",7")}. 

We  claim  that  h  is  a  homomorphism  from  (C",  7")  to  (C,  7). 

We  first  need  to  prove  that  h  is  a  class  function. 

Assume  c"  G  C". 

By  Lemma  2.16,  there  is  a  small  F-coalgebra  (C',7')  such  that  c"  G  C"  and  (C',7')  <  (C", 7").  Thus, 
(c",/i{c',7')(c"))  G  graph  h. 

Thus,  by  generalization,  dom  h  =  C". 

Suppose,  toward  contradiction,  that  there  are  (c",  Ci),  (c",  c2)  G  graph  /i  such  that  c\  7^  c2.  Then  there  is  a 
small  subcoalgebra  (C{,7{)  of  (C", 7")  such  that 

(c,/)  =  ci> 
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and  a  small  subcoalgebra  (C'2,y2)  °f  (C//,7//)  such  that 
h(C'2,^)(c")  =  C2. 

Thus,  there  is  a  bisimulation  B\  between  (C(,  y()  and  (C,  7)  such  that  c"  Si  ci,  and  a  bisimulation  S2 
between  (C2,"/2)  and  (C,  7)  such  that  c"  S2  c2.  Now,  by  Theorem  2.14,  there  is  a  function 
v  :  C[  U  C'2  — »  F(C[  U  C2)  such  that 

(c;uc;«)<(c",7"). 

And  by  Proposition  2.15,  C\  °7  [C[  U  C2)  is  a  homomorphism  from  (C( ,  7O  to  (Ci  U  CFv),  and 
C'  -7  (C[  U  C'2)  one  from  (C'2 , 7')  to  (C(  U  C'2,  v). 

Let  i?i  =  {C[  -7  (C(  U  C^))-1 ;  Si. 

Let  f?2  =  (d2  ^  (<7'  U  C^))-1 ;  B2. 

Then,  by  Corollary  2.7,  both  Si  and  S2  are  bisimulations  between  (C[  U  C2,v)  and  (C,  7).  And  clearly, 
c"  R\  ci  and  c"  S2  c2,  contrary  to  our  hypothesis. 

Therefore,  for  every  (c",ci),  (c",c2)  €  graph  h,  Ci  =  c2. 

Thus,  h  is  a  class  function  from  C"  to  C. 

We  move  on  to  prove  that  h  is  a  homomorphism  from  (C" to  (C,  7). 

Assume  c"  e  C" . 

By  Lemma  2.16,  there  is  a  small  S-coalgebra  (C ,  7')  such  that  c"  S  C"  and  (C",  7')  <  (C,  7). 

Let  S  be  a  bisinrulation  between  (C',  7')  and  ((7,7)  such  that  c"  B  h(c',y)  (c"). 

Let  (graphs,/?)  be  an  S-coalgebra  such  that  dprS  is  a  homomorphism  from  (graphs,/?)  to  (C",  7'),  and 
cprS  one  from  (graphs,/?)  to  (C, 7). 

Suppose,  toward  contradiction,  that 

h  o  (C'  °7  C',/)  o  dpr  B  7^  cpr  B. 

Then  there  is  (c",  c)  €  graph  S  such  that 

(h  o(C'  -7  C")  odprS)((c",c))  ^  (cpr  B)((c" ,  c)). 

Thus,  h(c”)  ^  c.  However,  h{c")  =  h^c1  and  thus,  fyc',7')  (c")  7^  c,  contrary  to  our  hypothesis. 

Therefore, 

h  o  (C'  °7  C")  o  dpr  B  =  cpr  S. 


Then 


F(/r)(7"(c"))  =  -7  C")(7'(c"))) 

=  -7  C'")(7,((dprS)((c",/l<c,,70(c")))))) 

=  F{h)(F(C'  -7  C'")(F(dprS)(/3((c",/i<c,,77(c")))))) 
=  ^(/i  °  (C'  °7  C")  O  dpr  S)(/?((c",  (c")») 

=  F(cprS)(/3((c",/l<c,70(c")))) 

=  7((cpr  B)({c",  h(Ci}y)  {c")))) 

=  7(^<C',y)(c")) 

=  7(Mc")). 
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Thus,  by  generalization,  h  is  a  homomorphism  from  (C",  7")  to  (C,f). 

Suppose,  toward  contradiction,  that  there  are  homomorphisms  hi  and  h2  from  (C",  7”)  to  (C,  7)  such  that 
hi  ^  h2.  Then  there  is  c"  £  C"  such  that 

Me")  ^  MO- 

And  by  Lemma  2.16,  there  is  a  small  F-coalgebra  (C ,  7')  such  that  c"  £  C"  and  (C",  7')  <  (C,  7).  By 
Theorem  2.10,  both  /ii  o  (C"  c— >  C")  and  h2  o  (C'  C")  are  bisimulations  between  (C , 7')  to  (C,  7).  Thus, 

c"  and  hi{c")  are  bisinrilar  among  (C", 7')  and  ((7,7),  and  c"  and  h2(d')  are  bisimilar  among  (C", 7')  and 
(C,  7),  contrary  to  our  hypothesis. 

Therefore,  there  is  at  most  one  homomorphism  from  (C" ,  7”)  to  (C,  7). 

Thus,  there  is  exactly  one  homomorphism  from  {C" ,'y")  to  (C,  7). 

Thus,  by  generalization,  (C,  7)  is  final  in  F-Coalg.  □ 

The  equivalence  of  (a)  and  (b)  was  already  sketched  by  Aczel  in  [3],  whereas  the  implication  from  (a)  to  (c) 
can  be  found  in  [28,  thm.  6.4].  But  the  one  in  the  reverse  direction  is,  to  our  knowledge,  a  new  result. 
Altogether,  Theorem  2.19  is  a  powerful  characterization  of  final  coalgebras,  justifying  their  prominent  role 
as  semantic  models  of  behaviour. 

By  Theorem  2.19,  any  final  A-coalgebra  (C,  7)  is  strongly  extensional,  or  equivalently,  satisfies  what  is  now 
known  as  the  coinduction  proof  principle,  whereby  for  every  c±,  c2  £  C,  in  order  to  prove  that  Ci  =  c2,  one 
need  only  find  a  bisimulation  B  on  (C,  7)  such  that  ci  B  c2  (see  [58,  thm.  9.2]). 

Theorem  2.20.  There  is  an  F -coalgebra  that  is  final  in  F-Coalg. 

Proof.  See  [6,  thm.  2.1]  and  [8,  thm.  2.2].  □ 

By  now,  there  have  been  several  different  proofs  of  Theorem  2.20  (see  [8]  and  references  therein).  Assuming 
[8,  thm.  2.2],  or  equivalently,  Lemma  2.16,  the  proof  in  [6]  is  perhaps  the  most  elementary,  and  surely  the 
most  natural  from  the  non-category-theorist  point  of  view.  It  amounts  to  forming  a  direct  sum  of  all  small 
T’-coalgebras,  and  constructing  a  quotient  of  it  with  respect  to  the  largest  congruence  on  it,  or  equivalently 
in  this  case,  the  equivalence  class  relation  generated  by  the  largest  bisimulation  on  it. 

Proposition  2.21.  If  (C,  7)  is  final  in  P-Coalg,  then  7  is  bijective. 

Proof.  See  [37,  lem.2.2],  □ 

Proposition  2.21  is  known  as  Lambek’s  Lemma,  and  for  many  interesting  endofunctors,  including  those 
considered  in  Section  3  and  4,  it  implies  that  the  carrier  of  the  final  coalgebra  is  a  proper  class. 

2.7  Covarieties 

Assume  a  full12  subcategory  S  of  F-Coalg. 

We  say  that  S  is  closed  under  the  formation  of  homomorphic  images  if  and  only  if  for  every  P-coalgebra 
(C,  7),  if  (C,  7)  is  in  S,  and  (C' ,  7')  is  a  homomorphic  image  of  (C,  7),  then  (C ,  7')  is  in  S. 

12  A  subcategory  S  of  a  category  C  is  full  if  and  only  if  the  arrows  between  any  two  objects  in  S  are  all  the  arrows  between 
the  two  objects  in  C. 
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We  say  that  S  is  closed  under  the  formation  of  subcoalgebras  if  and  only  if  for  every  F-coalgebra  (C,  7),  if 
(C,  7)  is  in  S,  and  (C',Y)  is  a  subcoalgebra  of  (C,  7),  then  (C1, 7')  is  in  S. 

We  say  that  S  is  closed  under  the  formation  of  direct  sums  if  and  only  if  for  every  class-indexed  family 
{ (C'i ,  of  F-coalgebras,  if  for  every  i  £  /,  ( C* ,  7$)  is  in  S,  then  (Cj,  7*}  is  in  S. 

Definition  2.22.  An  F -covariety  is  a  full  subcategory  C  of  F-Coalg  such  that  the  following  are  true: 

(a)  C  is  closed  under  the  formation  of  homomorphic  images; 

(b)  C  is  closed  under  the  formation  of  subcoalgebras; 

(c)  C  is  closed  under  the  formation  of  direct  sums. 

The  concept  of  F-covariety  is  the  coalgebraic  counterpart  of  a  generalization  of  the  concept  of  S-variety, 
what  Birkhoff  called  a  family  of  algebras  when  he  introduced  the  concept  in  [14].  Here,  it  is  of  interest 
because  it  allows  us  to  generalize  the  results  of  Section  2.6  to  cases  where  certain  kinds  of  structure  have 
been  systematically  ruled  out  (e.g.,  see  Section  4.3). 

We  say  that  (C,  7)  is  final  in  S  if  and  only  if  (C,  7)  is  in  S,  and  for  every  F-coalgebra  (C ,7')  in  S,  there  is 
exactly  one  homomorphism  from  (Cr, "/')  to  (C,  7). 

Just  as  in  F-Coalg,  all  final  .F-coalgebras  are  isomorphic  to  one  another. 

We  say  that  (C,  7)  is  complete  in  S  if  and  only  if  (C,  7)  is  in  S,  and  for  every  F-coalgebra  {C1 , 7')  in  S  and 
any  d  £  C' ,  there  is  exactly  one  c  £  C  such  that  d  and  c  are  bisimilar  among  (C",  7')  and  (C,  7). 

The  following  is  a  generalization  of  Theorem  2.19: 

Theorem  2.23.  For  every  F -covariety  C,  the  following  are  true: 

(a)  (C,  7)  is  final  in  C; 

(b)  for  every  small  F-coalgebra  (C",  7')  in  C,  there  is  exactly  one  homomorphism  from  (C,  7')  to  (C,  7); 

(c)  (C,  7)  is  complete  in  C; 

(d)  for  every  small  F-coalgebra  ( C,j ')  in  C,  and  any  d  £  C' ,  there  is  exactly  one  c  £  C  such  that  d  and 
c  are  bisimilar  among  (C1 ,  7')  and  (C,  7). 

Proof.  See  proof  of  Theorem  2.19.  D 

The  reason  that  we  are  able  to  reuse  the  proof  of  Theorem  2.19  here  without  any  modification  or 
adjustment  is  that,  because  of  the  closure  properties  of  an  F-covariety,  all  relevant  constructions  in  that 
proof  can  be  carried  out  inside  C.  The  only  structures  in  that  proof  that  are  not  necessarily  in  C  are  the 
bisinrulations,  which  are  not  supposed  to  either. 

By  Theorem  2.23,  every  F-coalgebra  that  is  final  in  an  F-covariety  satisfies  the  coinduction  proof  principle. 
The  following  is  a  generalization  of  Theorem  2.20: 

Theorem  2.24.  For  every  F-covariety  C,  there  is  an  F-coalgebra  that  is  final  in  C. 

Proof.  Assume  an  F-covariety  C. 

Let  (C,  7)  be  an  F-coalgebra  that  is  final  in  F-Coalg. 

Let  (C',y)  be  a  direct  sum  of  all  small  F-coalgebras  in  C. 

Let  h  be  the  unique  homomorphism  from  (C",  7')  to  (C,  7). 
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Then,  by  Theorem  2.13,  there  is  a  class  function  p  :  ran  h  -4  F(ran  h)  such  that 
(ran  h,  p)  <  {C,  7). 

And  by  Proposition  2.15,  there  is  exactly  one  homomorphism  h!  from  (C",  /')  to  (ran  h,  p)  such  that 
h  =  (ran  /i4C)o  h! . 

Clearly,  h!  is  surjective,  and  thus,  (ran  h,p)  is  a  homomorphic  image  of  (C',f).  And  since  C  is  an 
F-covariety,  (ran  h,p)  is  an  F-coalgebra  in  C. 

We  claim  that  (ran  h,p)  is  final  in  C. 

Assume  a  small  F-coalgebra  (C",  7")  in  C. 

Let  l  be  the  canonical  injection  map  from  C"  to  C' . 

Then  h!  o  t  is  a  homomorphism  from  (C" ,  7")  to  (ran  h,  p). 

Suppose,  toward  contradiction,  that  there  are  homomorphisms  h\  and  h2  from  (C" ,  j")  to  (ran  h,  p)  such 
that 

h\j^h2. 

Then  both  (ran  h  °4  C)  o  hi  and  (ran  h  °4  C)  o  h2  are  homomorphisms  from  {C" to  (C,  7).  And  since 
(ran  h  ^4  C)  is  injective, 

(ran  h  ^4  C)  o  hi  7^  (ran  h  ^4  C)  o  h2, 

contrary  to  (C,  7)  being  final  in  F-Coalg. 

Therefore,  there  is  at  most  one  homomorphism  from  (C" ,  7")  to  (ran  h,p). 

Thus,  there  is  exactly  one  homomorphism,  namely  h!  o  l,  from  (C",  7")  to  (ran  h,  p). 

Thus,  by  generalization  and  Theorem  2.23,  (ran  h,p)  is  final  in  C.  □ 

Theorem  2.24  is  easy  enough  to  be  already  known.  But  being  unable  to  trace  it  in  the  literature,  we  have 
taken  care  to  prove  it  here  (but  see  [4,  thm2.2]). 

The  following  is  a  generalization  of  Proposition  2.21: 

Proposition  2.25.  For  every  F-covariety  C,  if  (C,  7)  is  final  in  C,  then  7  is  bijective. 

Proof.  See  proof  of  Proposition  2.21.  □ 

As  with  Theorem  2.23,  the  reason  that  we  are  able  to  reuse  the  proof  of  Proposition  2.21  here  is  that, 
because  of  the  closure  properties  of  an  F-covariety,  all  relevant  constructions  in  that  proof  can  be  carried 
out  inside  C. 


3  Labelled  transition  systems  and  coalgebras 

The  concept  of  labelled  transition  system  is  the  paradigmatic  example  of  a  coalgebra.  Indeed,  the  theory  of 
coalgebra  was  largely  inspired  by  that  concept  (e.g.,  see  [6]).  Here,  we  formalize  it  in  a  somewhat 
nonstandard  way,  namely  using  a  binary  relation  rather  than  a  ternary  one,  and  go  over  its  coalgebraic 
treatment  anew,  with  the  intent  of  drawing  the  reader’s  attention  to  the  unity  of  formal  treatment  between 
this  section  and  the  next. 
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So  S4  Sii 


Figure  1.  so  and  s 4  are  bisimilar;  neither  of  them  is  bisimilar  to  sn. 


3.1  Labelled  transition  systems 

Assume  a  non-empty  set  L  of  labels. 

Definition  3.1.  An  L-labelled  transition  system  is  an  ordered  pair  ( S,T )  such  that  the  following  are  true: 

(a)  S'  is  a  set; 

(b)  T  is  a  binary  relation  between  S  and  L  x  S. 

Assume  an  L-labelled  transition  system  (S,  T) . 

We  write  s  — s'  if  and  only  if  s  T  ( l ,  s’). 

We  call  any  s  £  S  a  state  of  (S,  T),  and  any  (s,  (l,  s'}}  £  graph  T  a  transition  of  ( S,T }. 

Labelled  transition  systems  have  been  around  at  least  since  Moore’s  work  on  finite  automata  in  [48],  where 
they  appeared  in  tabular  as  well  as  pictorial  form.  In  their  present  form,  they  seem  to  have  been 
introduced  by  Keller  in  [36],  where  they  were  called  named  transition  systems.  And  although  Keller  used 
them  to  model  parallel  computation,  it  was  apparently  Milner  who  first  saw  labels  as  shared  vehicles  of 
interaction,  and  labelled  transition  systems  as  models  of  communicating  behaviour,  paving  the  way  for  [43] 
and  the  advent  of  process  algebra. 

In  fact,  considering  how  easy  it  is  to  “cook  up  yet  another  variant  process  calculus  or  algebra”  (see  [2, 
p.  39]),  it  is  not  unreasonable  to  suggest  that  a  process  algebra  is  no  more  than  an  algebra  of  labelled 
transition  systems.  For  in  the  absence  of  a  “hard  and  obdurate”  kind  of  external  reality,  it  is  the  model 
that  gives  meaning  to  form,  and  that  model  is  hardly  ever  anything  other  than  a  labelled  transition  system. 
And  really,  the  only,  seemingly  tacit  constraint  on  the  latter  is  that  equivalence  of  branching  structure  be  a 
congruence  relation.  This  is  the  notion  of  equivalence  corresponding  to  the  branching  end  of  the  spectrum 
of  [62],  and  “the  real  fruit”  of  process  algebra  as  a  whole. 

Assume  L-labclled  transition  systems  (Si,Ti)  and  (S2,T2). 

Definition  3.2.  A  bisimulation  between  (Si,Ti)  and  (52,T2)  is  a  binary  relation  B  :  S\  S2  such  that 
for  any  Si  and  s2  such  that  Sj  B  s2,  the  following  are  true: 

(a)  if  Si  — ->-Ti  si,  then  there  is  s2  such  that  s2  —-*t3  s'2  and  B  s2; 

(b)  if  s2  — - >t2  s'2,  then  there  is  such  that  Si  — — >Ti  and  B  s'2. 

We  say  that  si  and  s2  are  bisimilar  among  (jSi,Ti)  and  ( S2iT2 )  if  and  only  if  there  is  a  bisinrulation  B 
between  (Si,Ti)  and  (S2,T2}  such  that  si  B  s2. 
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For  example,  consider  the  three  diagrams  of  Figure  1,  which  are  of  course  pictures  of  labelled  transition 
systems:  So  and  S4  are  bisimilar;  neither  of  them  is  bisimilar  to  Sn. 

The  idea  of  bisinrilarity  is  that  for  any  path  branching  out  of  either  one  of  the  two  states,  there  is  a  path 
branching  out  of  the  other  one,  that  carries  the  same  labels  in  the  same  order,  and  goes  through  states  that 
are  again  related  to  the  corresponding  states  of  the  first  path  in  the  same  way.  This  last  piece  of  recursion 
is  what  separates  bisimilarity  from  trace  equivalence,  making  the  former  sensitive  to  the  branching 
potential  of  each  state. 

The  concept  of  bisinrulation  is  due  to  David  Park  (see  [51]),  and  is  without  doubt  the  most  significant 
contribution  of  the  theory  of  concurrency  to  the  broader  arena  of  computer  science  and  mathematics  at 
large.13  After  learning  about  Milner’s  work  in  [45],  where  bisimulation  was  worked  out  in  the  context  of  a 
calculus  for  the  first  time,  and  prompted  by  the  perception  of  an  analogy  between  the  mathematical  notion 
of  a  set  and  that  of  a  process  with  just  one  kind  of  action,  Peter  Aczel  used  transition  systems  to  model  a 
theory  of  sets  that  need  not  be  well  founded,  and  the  concept  of  bisimulation  to  strengthen,  in  a  sensible 
and  pleasing  way,  the  Axiom  of  Extensionality  therein  (see  [3]). 14  But  then  he  went  further.  He  noticed 
that  transition  systems  could  be  viewed  as  coalgebras  for  a  certain  endofunctor,  and  models  of  his  axiom  as 
final  objects  in  a  suitable  category  of  such  coalgebras.  Work  on  a  generalization  of  this  result  culminated  in 
[6]  to  bear  a  final  coalgebra  theorem  and  a  categorical  definition  of  bisimulation,  eventually  leading  to  the 
general  theory  of  universal  coalgebra  glimpsed  in  Section  2. 

3.2  Labelled  transition  coalgebras 

Consider  once  more  the  concept  of  labelled  transition  system.  We  have  formalized  this  as  an  ordered  pair 
of  a  set  and  a  binary  relation.  But  there  is  another  way:  to  look  at  the  binary  relation  as  a  set-valued 
function. 

Assume  a  binary  relation  R  :  5i  S2. 

We  write  fun  R  for  a  function  from  Si  to  &  S2  such  that  for  any  si  £  Si,15 
(fun  R)(si)  =  {s2  |  si  R  s2 } • 

Assume  a  function  /  :  Si  -»  &  S2. 

We  write  rel  /  for  a  binary  relation  between  Si  and  S2  such  that  for  any  si  £  Si  and  any  s2  £  S2, 
si  (rel  /)  s2  s2  £  /(si). 

The  following  is  immediate: 

Proposition  3.3.  The  following  are  true: 

(a)  rel(fun  R)  =  R; 

(b)  fun(rel  /)  =  /. 

Proposition  3.3  suggests  an  alternative,  coalgebraic  formalization  of  the  concept  of  L-labelled  transition 
system. 

13  To  be  fair,  the  concept  of  bisimulation  has  been  independently  discovered  in  the  fields  of  modal  logic  and  set  theory  as 
well.  See  [60]  for  a  comprehensive  historical  account. 

14  Forti  and  Honsell  had  already  discovered  and  used  the  concept  of  bisimulation  to  that  effect  in  [27] . 

15  For  every  set  S,  we  write  &  S  for  the  power  set  of  S,  namely  the  set  of  all  subsets  of  S. 
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We  write  Pow  for  the  power-set  endofunctor  on  Class,  namely  an  endofunctor  on  Class  that  assigns  to 
every  class  C  the  class 


Pow  C  =  {S  |  S  is  a  set,  and  S  C  C}, 
and  to  every  class  function  /  :  Ci  — >  C2  a  class  function 
Pow  /  :  Pow  C\  — s-  Pow  C2 
such  that  for  every  S  €  Pow  C\ , 

(Pow/)(S)  =  {/(«)  I  seS}. 


Notice  that  if  the  class  C  is  actually  a  set,  then 


Pow  C  =  3s  C. 


We  now  compose  Pow  with  the  left  product  endofunctor  L  x  Id  on  Class  to  obtain  the  endofunctor 
Pow  o  (Lx  Id)  on  Class,  which  assigns  to  every  class  C  the  class 

Pow(L  x  C)  =  {S  |  S  is  a  set,  and  S  C  L  x  C}, 

and  to  every  class  function  /  :  C\  — >  C2  a  class  function 

Pow(L  x  /)  :  Pow(L  x  Cf)  — >  Pow(L  x  C2) 

such  that  for  every  S  e  Pow(L  xCi), 

Pow (Lxf)(S)  =  {(l,f(s))  |  (l,s)&S}. 

An  L-labelled  transition  system  ( S,T )  can  then  be  represented  as  a  (Powo  (L  x  ld))-coalgebra,  namely  as 
(S',  fun  T),  and  conversely,  a  (Powo  (L  x  ld))-coalgebra  (C,  r)  as  an  L-labelled  transition  system,  namely  as 
(C,  rel  r),  with  the  caveat,  of  course,  that  C  be  a  set.  But  this  is  only  an  arbitrary  constraint  on  the  size  of 
a  system.  There  is  no  fundamental  reason  why  we  should  disqualify  a  system  for  being  too  large. 

Definition  3.4.  An  L-labelled  transition  coalgebra  is  a  (Pow  o  (Lx  ld))-coalgebra. 

We  write  L-LTC  for  the  category  whose  objects  are  all  the  L-labelled  transition  coalgebras,  and  arrows  all 
the  homomorphisms  from  one  L-labelled  transition  coalgebra  to  another. 

Formally,  we  will  treat  L-labelled  transition  systems  and  L-labelled  transition  coalgebras  as  distinct 
concepts.  But  informally,  we  shall  think  of  an  L-labelled  transition  coalgebra  as  an  L-labelled  transition 
system,  no  matter  how  large  the  carrier  of  the  coalgebra  is. 

Assume  an  L-labelled  transition  coalgebra  ( C,t ). 

We  write  c  — Ar  d  if  and  only  if  (l,  c ')  €  r(c). 

The  following  is  immediate: 

Proposition  3.5.  The  following  are  true: 

(a)  s  — s'  if  and  only  if  s  ~tfunr  s' ; 

(b)  if  ( C ,  t)  is  small,  then  c  — U-T  d  if  and  only  if  c  — U-reiT  d . 
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Assume  L-labelled  transition  coalgebras  (Ci,Ti)  and  (62,7-2). 

Proposition  3.6.  B  is  a  bisimulation  between  (C},ti)  and  (62,72)  if  and  only  if  B  is  a  binary  class 
relation  between  C\  and  C2,  and  for  any  Ci  and  c2  such  that  Ci  fl  c2,  the  following  are  true: 

(a)  if  Ci  — 4Tl  ci,  then  there  is  c'2  such  that  c2  — - >T2  d2  and  ci  B  c2; 

(b)  if  C2  — 4 >T2  c2,  then  there  is  ci  such  that  C\  — 4Tl  ci  and  ci  B  d2. 

Proof.  Suppose  that  B  is  a  bisimulation  between  (C\ .  t-\  )  and  ((62,12). 

Let  (graph  S,/?)  be  an  L-labelled  transition  coalgebra  such  that  dprS  is  a  homomorphism  from 
(graphs,/?)  to  (Ci,Ti),  and  cprS  one  from  (graphs,/?)  to  (C2,t2). 

Assume  C\  and  c2  such  that  ci  S  c2. 

Then 

Row  (I,  x  dprS)(/?((ci,c2)))  =  ri((dprS)((ci,c2))), 
and  hence,  by  definition  of  Pow  o  (Lx  Id)  and  dprS, 

{(l,c'i)  |  {l,  (ci,  c2))  £  /?((ci,c2))}  =  Ti{ci). 

By  extensionality,  this  is  equivalent  to  the  following  being  true: 

(i)  if  (ci,c2)  -4/3  (ci,c'2),  then  a  -4Tl  ci; 

(ii)  if  Ci  — 4Tl  ci,  then  there  is  c2  such  that  (ci,C2)  —4/3  (ci,ci). 

And  by  symmetry,  the  following  are  true: 

(hi)  if  (ci,c2)  -4/3  (ci,c'2),  then  c2  -4T2  c'2; 

(iv)  if  c2  — 4T2  ci,  then  there  is  ci  such  that  (ci,c2)  —4/3  (ci ,c'2). 

By  (ii)  and  (iii),  (a)  is  true,  and  by  (iv)  and  (i),  (b)  is  true. 

Thus,  by  generalization,  for  any  Ci  and  c2  such  that  Ci  S  c2,  (a)  and  (b)  are  true. 

Conversely,  suppose  that  S  is  a  binary  class  relation  between  Ci  and  C'2,  and  for  any  Ci  and  c2  such  that 
Ci  S  c2,  (a)  and  (b)  are  true. 

Let  /?  be  a  class  function  from  graph  S  to  Pow(L  x  graph  S)  such  that  for  any  (ci,  c2)  £  graph  S, 

/?((ci,c2))  =  {{l,  (4,4))  |  ci  -4Tl  ci,  c2  -4T2  c2,  and  (ci,c'2)  £  graphs}. 

Assume  (ci,c2)  £  graphs. 

Then  the  following  is  immediately  true: 

(v)  if  (ci,c2)  -4/3  (ci,c'2),  then  cx  -4Tl  ci- 
Also,  by  (a)  and  (b),  the  following  is  true: 

(vi)  if  ci  — 4Tl  ci,  then  there  is  c2  such  that  (ci,C2)  —4/3 
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By  (v),  (vi),  and  extensionality, 

|  (l,  (4,4)}  e  /3((ci,c2))}  =  n(ci), 
and  hence,  by  definition  of  Pow  o  (Lx  Id)  and  dprL, 

Pow(L  x  dpr £?)(/3((ci, c2)))  =  n((dprB)((ci, c2))). 

And  by  symmetry, 

Pow(L  x  cprB)(/3((ci,c2)))  =  r2((cprS)((ci,c2))). 

Thus,  by  generalization,  B  is  a  bisimulation  between  and  {C2,r2).  □ 

The  following  is  immediate  from  Proposition  3.5(a),  3.6,  and  the  definition  of  bisimulation  between  labelled 
transition  systems: 

Proposition  3.7.  B  is  a  bisimulation  between  ( Si,T\ )  and  (52,T2)  if  and  only  if  B  is  a  bisimulation 
between  the  L-labelled  transition  coalgebras  (5i,funTi)  and  (S^,  fun  T2). 

Now,  suppose  that  we  wanted  to  use  L-labelled  transition  systems  to  model  the  behaviour  of  processes  of 
some  kind.  What  we  would  wish  for  then  is  that  there  be  a  system  complex  enough  to  model  the  behaviour 
of  every  process,  but  coarse  enough  not  to  distinguish  between  processes  of  equivalent  behaviour.  Is  there 
such  a  system? 

The  way  to  use  an  L-labelled  transition  system  to  model  the  behaviour  of  a  process  is  to  map  the  process 
to  a  state  of  the  system,  and  let  the  branching  structure  emanating  from  that  state  represent  the  behaviour 
of  the  process.  Equivalence  of  behaviour  then  amounts  to  similarity  of  branching  structure  of  some  kind, 
and  indeed,  determines  the  actual  association  between  behaviour  and  branching  structure.  If  we  let 
bisimilarity  be  that  concept  of  similarity,  and  assume  for  simplicity  that  any  state  of  every  L-labelled 
transition  system  models  the  behaviour  of  some  process,  then  our  question  becomes  an  enquiry  over  the 
existence  of  an  L-labelled  transition  system  (S,  T)  such  that  the  following  are  true: 

(i)  for  every  L-labelled  transition  system  ( S',T ')  and  any  s'  £  S',  there  is  s  £  S  such  that  s'  and  s  are 
bisimilar  among  ( S’ ,T ')  and  ( S,T ); 

(ii)  for  any  si,  s2  £  S,  s i  and  s2  are  bisimilar  in  ( S,T )  if  and  only  if  si  =  s2. 

By  an  easy  corollary  to  Proposition  3.6,  bisimilarity  among  L-labelled  transition  coalgebras  is  a  transitive 
concept,  and  thus,  by  Theorem  2.19  and  Proposition  3.7,  a  system  will  satisfy  conditions  (i)  and  (ii)  of  our 
enquiry  if  and  only  if  it  has  a  coalgebraic  representation  that  is  final  in  L-LTC.  And  by  Theorem  2.20, 
there  is  indeed  a  final  coalgebra  in  L-LTC.  But  by  Proposition  2.21,  the  carrier  of  every  such  coalgebra  is, 
for  obvious  cardinality  reasons,  a  proper  class. 

This  should  not  come  as  a  surprise.  Having  left  the  cardinality  of  the  branching  degree  of  a  state  in  a 
system  unchecked,  it  is  only  reasonable  to  expect  that  the  different  types  of  branching  structure  be  too 
many  to  collect  inside  a  set.  One  could  bound,  in  a  suitable  sense,  the  endofunctor  to  ensure  that  a  final 
coalgebra  be  small  (e.g.,  see  [35,  cor.  3.3]).  In  the  case  of  Powo  (L  x  Id),  this  would  correspond  to  bounding 
that  branching  degree  cardinality,  and  for  a  model  of  process  behaviour,  one  could  even  argue  that  this  is  a 
natural  thing  to  do.  But  here,  we  will  feel  comfortable  working  with  large  coalgebras,  and  refrain  from 
imposing  additional  constraints  just  for  the  sake  of  size.  Indeed,  the  very  reason  that  we  have  decided  to 
work  within  a  theory  of  classes  in  the  first  place  was  not  having  to  worry  about  size  at  all.  If  we  want  to 
understand  behaviour  in  terms  of  branching  structure,  then  it  seems  inappropriate  to  constrain  that 
structure  by  means  that  only  reflect  our  own  preconceptions  about  how  that  behaviour  may  come  about. 
And  a  bound  on  the  branching  degree  of  that  structure  seems  to  do  just  that:  reflect  our  own  bias  toward  a 
kind  of  process  that,  in  one  way  or  another,  “computes”  its  own  evolution  using  a  fixed  set  of  predefined 
resources. 


21 


4  Labelled  execution  systems  and  coalgebras 


This  section  contains  the  main  body  of  this  work,  where  we  introduce  and  study  our  newly  proposed 
systems.  For  the  most  part,  we  treat  these  systems  in  the  guise  of  coalgebras.  But  for  the  benefit  of  the 
non-coalgebraist,  as  well  as  the  more  application-oriented  reader,  we  make  sure  to  translate  all  our  findings 
back  into  the  language  of  systems. 

4.1  Labelled  execution  systems 

Definition  4.1.  An  L-labelled  execution  system  is  an  ordered  pair  ( S,E )  such  that  the  following  are  true: 

(a)  S'  is  a  set; 

(b)  A1  is  a  binary  relation  between  S  and  J?"(L  x  S).16 

Assume  an  L-labelled  execution  system  (S,  E ) . 

We  write  s  \>e  e  if  and  only  if  s  E  e. 

We  call  any  s  £  S  a  state  of  (S,  E),  and  any  ( s ,  e)  £  graph  E  an  execution  of  (S,  E). 

Notice  that  an  execution  is  an  ordered  pair  of  a  state  and  a  sequence  of  ordered  pairs  of  labels  and  states, 
rather  than  a  single  odd-length  alternating  sequence  of  states  and  labels,  what  might  have  seemed  a  more 
natural  option.  And  while  we  do  think  that  there  is  a  certain  clarity  in  distinguishing  the  starting  state  of 
an  execution  from  any  subsequent  step,  this  was  mainly  a  choice  of  mathematical  convenience.  Its  merit 
will  soon  become  apparent. 

The  general  idea  of  an  execution  system,  if  only  unlabelled,  has  been  around  at  least  since  the  early  days  of 
temporal  logic  in  computer  science,  in  the  form  of  a  semantic  structure  called  a  path  structure  in  [57]  (e.g., 
see  [56],  [1],  and  [39]).  The  states  of  a  system  would  represent  the  various  memory  configurations  and 
control  locations  traversed  in  the  course  of  a  computation  of  a  possibly  concurrent  program,  and  the 
executions  those  computations  permitted  by  the  assumed  implementation,  and  over  which  the  modalities  of 
the  logic  were  to  be  interpreted.  But  despite  the  rich  cross-fertilization  of  ideas  between  temporal  logic  and 
process  algebra,  and  the  obvious  parallel  between  semantic  structures  and  labelled  systems  in  the  two 
fields,  path  structures  were  never  really  assimilated  for  use  as  models  of  process  theories.  In  fact,  the 
concept  of  labelled  execution  system  is  almost  absent  from  the  literature.  Looking  back  to  it,  we  could  only 
find  a  handful  of  sporadic  instances  of  the  general  notion.  We  discuss  them  in  Section  5. 

4.2  Labelled  execution  coalgebras 

As  our  choice  of  formalization  should  have  made  obvious,  the  concept  of  labelled  execution  system  is  a 
direct  generalization  of  that  of  labelled  transition  system.  The  idea  of  a  single  step  from  one  state  to 
another  is  replaced  by  that  of  an  “admissible”  path  through  the  system  over  which  a  sequence  of  steps  can 
be  taken.  The  result  is  a  more  elaborate  notion  of  branching  structure.  And  if  we  are  to  associate  this 
notion  with  behaviour  of  some  kind,  we  need  to  understand  what  constitutes  similarity  and  dissimilarity  of 
it.  In  other  words,  we  need  a  concept  of  branching  equivalence  suited  to  labelled  execution  systems.  What 
should  that  concept  be? 

In  [59],  Rutten  and  Turi  propose  a  simple  approach  to  this  type  of  problem:  all  we  have  to  do  is  find  a 
suitable  endofunctor  to  represent  our  systems  coalgebraically.  We  can  then  use  that  endofunctor  to 
instantiate  the  “parametric”  concept  of  bisimulation  of  Definition  2.5,  and  obtain  not  only  the  equivalence 

16  For  every  set  S,  we  write  S  for  the  sequence  set  of  S,  namely  the  set  of  all  finite  and  infinite  sequences  over  S. 
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concept  that  we  seek,  but  a  model  too  that  is  fully  abstract  with  respect  to  that  concept  (see  Theorem  2.19 
and  2.20) . 1 '  This  is  straightforward  here. 

We  write  Seq  for  the  sequence-set  endofunctor  on  Class,  namely  an  endofunctor  on  Class  that  assigns  to 
every  class  C  the  class 

Seq  C  =  {s  |  there  is  S  such  that  S  C  C  and  s  £  S*  S}, 
and  to  every  class  function  /  :  C\  — ►  C2  a  class  function 
Seq  /  :  Seq  C\  — >  Seq  C2 


such  that  for  every  s  £  Seq  C\, 


(Seq  /)(s) 


(  )  if  «  =  <  ); 

(/(head  s))  •  (Seq  /) (tail  s)  otherwise. 


Notice  that  if  the  class  C  is  actually  a  set,  then 
Seq  C  =  yC. 

At  this  point,  the  reader  may  protest  against  the  seeming  circularity  in  the  way  we  have  specified  the 
action  of  Seq  on  class  functions;  what  may  look  like  a  harmless  definition  by  recursion  is  really  a 
descending  argument  over  a  possibly  infinite  deduction  sequence:  there  is  no  base  case.  A  little  thought, 
however,  will  suffice  to  convince  oneself  that  there  is  nothing  ambiguous  about  it.  Seq  /  is  a  simple  lift  of  / 
to  sequences  over  dom  /.  Informally,  if  (co,  c\, . . .)  is  a  sequence  over  dom  /,  then  (Seq  /)((co,  c\, . . .))  is  the 
result  of  replacing  each  c*  in  that  sequence  with  its  own  image  under  /,  namely  the  sequence 
(/(c 0),  f{ci), . . .).  We  are  thus  entitled  to  use  this  contentious  form  of  specification  as  a  definition.  The 
question  is  how  do  we  justify  it  formally. 

In  principle,  we  could  use  induction  on  the  index  of  a  sequence  to  prove  that  each  point  in  that  sequence  is 
uniquely  determined.  But  we  can  do  better. 

First,  notice  that  Seq  C2  can  be  given  the  structure  of  a  ({(  )}  +  (C2  x  ld))-coalgebra,  where 
{(  )}  +  (C2  x  Id)  is  the  composite  of  the  left  sum  endofunctor  {(  )}  +  Id  on  Class  with  the  left  product 
endofunctor  C2  x  Id  on  Class:  simply  let  cr2  be  a  class  function  from  Seq  C2  to  {(  )}  +  (C2  x  Seq  C2)  such 
that  for  every  s  £  Seq  C2 , 

fs)=  f(inj1({(  )}  +  (C2xSeqC2)))((  ))  *«  =  <>; 

\  ('nJ2 ({ (  )}  +  (C2  x  Seq  C'2)))((head  s,  tail  s))  otherwise. 

Now,  we  can  use  /  to  give  Seq  C)  the  structure  of  a  ({(  )}  +  (C2  x  ld))-coalgebra  as  well:  just  let  ui  be  a 
class  function  from  Seq  C\  to  {(  )}  +  (C2  x  Seq  Ci)  such  that  for  every  s  £  Seq  C), 

,  v=  f(inj1({(  >}  +  (C72xSeqCi)))((  ))  *«  =  <>; 

1  \  (‘nj2 ({ (  )}  +  (C2  x  Seq  C'i)))((/(head  s),  tail  s))  otherwise. 

All  our  definition  says  then  is  that  Seq  /  is  a  homomorphism  from  (Seq  C),  af)  to  (Seq  C”2,  <r2).  And  the 
existence  and  uniqueness  of  this  homomorphism  follows  from  the  fact  that  (Seq  C2,  cr2)  is  actually  final  in 
({(  )}  +  (C2  x  ld))-Coalg,  as  the  reader  may  wish  to  prove. 

17  The  tacit  assumption  here  is  that  the  instantiated  concept  of  bisimulation  does  indeed  induce  an  equivalence  concept. 

See  Example  2.9  for  a  case  where  it  does  not. 
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With  experience,  all  this  can  be  inferred  immediately  by  simple  inspection  of  the  form  of  the  defining 
equations.  More  importantly,  the  same  type  of  argument  can  be  applied  to  the  case  of  any  endofunctor, 
even  if  there  is  no  readily  available  representation  of  a  final  coalgebra  amenable  to  inductive  reasoning  (see 
[49]).  A  definition  that  relies  in  this  way  on  the  finality  of  the  implicit  target  coalgebra  is  what  we  call  a 
definition  by  corecursion.  This  particular  use  of  the  term  appears  to  have  originated  with  [12],  and  is 
justified  by  the  duality  to  the  more  familiar  notion  of  definition  by  recursion ,  which,  in  similar  fashion, 
relies  on  the  initiality  of  the  implicit  source  algebra  (see  [33]). 

We  now  compose  Seq  with  the  left  product  endofunctor  L  x  Id  on  Class  to  obtain  the  endofunctor 
Seq  o  (Lx  Id)  on  Class,  which  assigns  to  every  class  C  the  class 

Seq(L  x  C)  =  {s  |  there  is  S  such  that  S  C  L  x  C  and  s  €  y  S}, 


and  to  every  class  function  /  :  C\  — >  C2  a  class  function 
Seq(L  x  /)  :  Seq(L  x  C\)  — >  Seq(L  x  C2) 
such  that  for  every  s  £  Seq(L  x  C\), 


(Seq (L  x  /))(s) 


(<> 

I  ((first  head  s,  /(sec  head  s)))  ■  (Seq(L  x  /))(tail  s) 


if  s  =  (  ); 
otherwise.18 


This  is  another  instance  of  a  definition  by  corecursion.  Informally,  if  ((Io,Cq),  (li,c\), . . .)  is  a  sequence  over 
dom /,  then 


Seq(L  x  f){{(lQ,  c0),  {h,  ci), . . .))  =  {{l0, /(c0)),  {h, /(ci)), . . .). 


Finally,  we  compose  Pow  with  Seq  o(L  x  Id)  to  obtain  the  endofunctor  Pow  o  Seq  o  (Lx  Id)  on  Class,  which 
assigns  to  every  class  C  the  class 

PowSeq(L  x  C)  =  {S  \  S  is  a  set,  and  S  C  Seq(L  x  C)}, 

and  to  every  class  function  /  :  Ci  — l  Ci  a  class  function 

Pow  Seq (L  x  /)  :  Pow  Seq (L  x  Ci)  ->  Pow  Seq (L  x  C2) 

such  that  for  every  S  £  Pow  Seq (L  x  CJ, 

(Pow  Seq(L  x  f))(S)  =  {(Seq(L  x  f))(s)  \  s  £  S}. 

Just  as  we  did  with  labelled  transition  systems,  we  can  now  take  advantage  of  the  formal  analogy  between 
the  concepts  of  binary  relation  and  set-valued  function,  and  use  Proposition  3.3  to  obtain  our  coalgebraic 
representation.  This  unity  of  treatment  is  the  reward  of  our  aforementioned  formalization  choice. 

An  L-labelled  execution  system  (S,E)  can  then  be  represented  as  a  (Powo  Seq  o  (Lx  ld))-coalgebra, 
namely  as  (S,  funiS),  and  conversely,  a  (Powo  Seq  o  (Lx  ld))-coalgebra  (C,e)  as  an  L-labelled  execution 
system,  namely  as  (C,  rele),  again  with  the  caveat  that  C  be  a  set. 

Definition  4.2.  An  L-labelled  execution  coalgebra  is  a  (Pow  o  Seq  o  (Lx  ld))-coalgebra. 

18  For  every  ordered  pair  (x,y),  we  write  first  {x,y)  for  x,  and  sec  (x,y)  for  y. 
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We  write  L-LEC  for  the  category  whose  objects  are  all  the  L-labelled  execution  coalgebras,  and  arrows  all 
the  lionromorphisms  from  one  L-labelled  execution  coalgebra  to  another. 

Once  more,  we  will  formally  treat  L-labelled  execution  systems  and  L-labelled  execution  coalgebras  as 
distinct  concepts,  but  we  shall  informally  think  of  an  L-labelled  execution  coalgebra  as  an  L-labelled 
execution  system,  no  matter  how  large  the  carrier  of  the  coalgebra  is. 

Assume  an  L-labelled  execution  coalgebra  (C,  e) . 

We  write  c>e  e  if  and  only  if  e  £  e(c). 

The  following  is  immediate: 

Proposition  4.3.  The  following  are  true: 

(a)  s  >t  e  if  and  only  if  s  [>funr  e; 

(b)  if  (C,  e)  is  small,  then  c\>£  e  if  and  only  if  c  l>rei£  e. 

At  this  stage,  we  could  already  use  Proposition  4.6  below  as  our  definition  of  bisimulation  between  labelled 
execution  systems.  But  we  prefer  a  different,  more  operational  one  that  will  help  us  develop  some  insight 
into  the  concept.  And  for  this,  we  need  some  more  preparation. 

Assume  a  binary  class  relation  R  :  C\  ■£>■  C2. 

We  write  Seq(L  x  R)  for  a  binary  class  relation  between  Seq(L  x  C-\ )  and  Seq(L  x  C2)  such  that  for  every 
ei  £  Seq(L  x  C\)  and  every  e2  £  Seq(L  x  Cf), 

ei  Seq(L  x  R)  e2  <=$■  there  is  e  £  Seq(L  x  graph  R) 

such  that  ei  =  Seq(L  x  dpri?)(e)  and  ei  =  Seq(L  x  cpr  R)(e). 

Seq(L  x  R)  is  a  simple  lift  of  R  to  pairs  of  sequences  over  L  x  dom  R  and  L  x  cod  R.  Informally,  if 
«/o,  Co),  (h,  ci), . . .)  is  a  sequence  over  dom  R ,  and  (( 1'0 ,  c'0),  (l'1,c'1), . . .)  a  sequence  over  cod  R ,  then 

((fo,Co),(Zi,Ci),...)  Seq(L  x  R)  ((1'0,  c'0),  (l[,  df), . . .) 

if  and  only  if  Iq  =  1'0  and  Co  R  Cq,  li  =  l[  and  Ci  R  c^,  etc.  Our  choice  of  notation  may  be  justified  by  the 
fact  that 

Seq(L  x  R)  =  Seq (L  x  ((dpri?)-1  ;cprf?)) 

=  (Seq(L  x  dprl?))-1 ;  Seq(L  x  cpr  R). 

Assume  L-labcllcd  execution  coalgebras  (C i,£i)  and  {Ci,£i). 

Proposition  4.4.  B  is  a  bisimulation  between  (Ci,£i)  and  ( Ci,Ei )  if  and  only  if  B  is  a  binary  class 

relation  between  (C i,£i)  and  ( Ci,Ei ),  and  for  any  c\  and  ci  such  that  c\  B  ci,  the  following  are  true: 

(a)  if  C\  D>ei  ei,  then  there  is  ei  such  that  ci  >e2  ei  and  e\  Seq(L  x  B)  ei; 

(b)  if  Ci  >e2  ei,  then  there  is  e\  such  that  ci  >ei  ei  and  e\  Seq(L  x  B)  ei. 

Proof.  Suppose  that  B  is  a  bisimulation  between  (Ci,£i)  and  ( Ci,£i ). 

Let  (graph  B,  (3)  be  an  L-labelled  execution  coalgebra  such  that  dpr  B  is  a  homomorphism  from  (graph  B,  /3) 
to  (Ci,  £1),  and  cprL>  one  from  (graph  B,  (3)  to  (Ci,£2}. 

Assume  ci  and  c2  such  that  ci  B  c2. 
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Then 


Pow  Seq(L  x  dpr  B)(/?((ci,  c2)))  =  £i((dpr  B)((a,  c2))), 
and  hence,  by  definition  of  Pow  o  Seq  o  (Lx  Id)  and  dprJ3, 

{Seq(L  x  dprS)(e)  |  e  £  /3((ci,c2))}  =  £i(ci). 

By  extensionality,  this  is  equivalent  to  the  following  being  true: 

(i)  if  (ci ,  C2)  >pe,  then  C\  [>ei  Seq(L  x  dpr_B)(e); 

(ii)  if  Ci  [>ei  ei,  then  there  is  e  such  that  Seq(L  x  dprB)(e)  =  ei  and  (ci,c2)  \>p  e. 

And  by  symmetry,  the  following  are  true: 

(iii)  if  (ci,c2)  [> /j  e,  then  c2  >£2  Seq(L  x  cpr£?)(e); 

(iv)  if  c2  >£2  e2,  then  there  is  e  such  that  Seq(L  x  cprB)(e)  =  e2  and  (ci,c2)  \>p  e. 

By  (ii),  (iii),  and  definition  of  Seq(L  x  B),  (a)  is  true,  and  by  (i),  (iv),  and  definition  of  Seq(L  x  B ),  (b)  is 
true. 

Thus,  by  generalization,  for  any  Ci  and  c2  such  that  ci  B  c2,  (a)  and  (b)  are  true. 

Conversely,  suppose  that  B  is  a  binary  class  relation  between  C\  and  C2,  and  for  any  Ci  and  c2  such  that 
ci  B  c2,  (a)  and  (b)  are  true. 

Let  (3  be  a  class  function  from  graph  B  to  Pow  Seq(L  x  graph  B)  such  that  for  any  (ci,  c2)  £  graph  B , 
/3((ci,c2))  =  {e  I  Ci  >£  Seq(L  x  dprL?)(e),  c2  \>e  Seq(L  x  cpr£?)(e),  and  e  £  Seq(L  x  graphB)}. 

Assume  (ci,  c2)  £  graph  B. 

Then  the  following  is  immediately  true: 

(v)  if  (ci,c2)  >/3e,  then  Ci  D>ei  Seq(L  x  dpr B)(e). 

Also,  by  (a),  (b),  and  the  definition  of  Seq(L  x  B ),  the  following  is  true: 

(vi)  if  ci  >£l  ei,  then  there  is  e  such  that  Seq(L  x  dprB)(e)  =  ei  and  (ci,c2)  e. 

By  (v),  (vi),  and  extensionality, 

{Seq(L  x  dpr  B)(e)  \  e  £  /3((ci,c2))}  =  £i(ci). 
and  hence,  by  definition  of  Pow  o  Seq  o  (L  x  Id)  and  dprB, 

Pow  Seq(L  x  dpr  B)(P((a,  c2)))  =  £i((dpr  B)((a,  c2))). 

And  by  symmetry, 

Pow Seq(L  x  cpr B)(/3((ci, c2)))  =  £2((cpr S)((ci, c2))). 

Thus,  by  generalization,  B  is  a  bisimulation  between  (Ci,£i)  and  (C'2,e2).  □ 

Proposition  4.4  is  similar  to  Proposition  3.6.  The  difference  is  that  the  local  check  of  correspondence  of 
transitions  has  been  replaced  by  a  non-local  test  of  agreement  along  entire  executions.  This  is  conceptually 
in  tune  with  our  intended  change  in  scale  of  observation  from  one  type  of  system  to  the  other. 

Assume  T-labelled  execution  systems  (Si,E{)  and  (52,£;2). 
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Figure  2.  so  and  s 2  are  not  bisimilar,  even  though  the  only  execution  starting  from  so  is  in  perfect  agreement 
with  the  only  execution  starting  from  S2. 


Definition  4.5.  A  bisimulation  between  (Si,Ei)  and  (S2,  Ef)  is  a  binary  relation  B  :  S\  -n-  S2  such  that 
for  any  Si  and  s2  such  that  Si  B  s2,  the  following  are  true: 

(a)  if  si  \>e-i  ei,  then  there  is  e2  such  that  s2  \>e2  e2  and  ei  Seq(L  x  B)  e2; 

(b)  if  s2  1>e2  e2 ,  then  there  is  ei  such  that  Si  \>ex  ei  and  ei  Seq(L  x  B )  e2. 

We  say  that  si  and  s2  are  bisimilar  among  (Si,Ei)  and  (;S'2)  Ef)  if  and  only  if  there  is  a  bisimulation  B 
between  (Si,i?i)  and  (5'2,i?2)  such  that  si  B  s2. 

The  following  is  of  course  immediate: 

Proposition  4.6.  B  is  a  bisimulation  between  (Si,E\)  and  ( 62,  £2 }  if  and  only  if  B  is  a  bisimulation 
between  the  L-labelled  execution  coalgebras  (Si,  fun  Ef)  and  (S2,fun  Ef) . 


4.3  Abrahamson  systems  and  coalgebras 

Informally,  we  can  explain  bisimilarity  of  states  of  labelled  execution  systems  in  the  same  way  as  we  did  in 
the  case  of  labelled  transition  systems.  Only  now,  paths  are  not  implicitly  inferred  from  a  transition 
relation,  but  explicitly  stipulated  as  part  of  the  system  structure.  And  this  can  have  some  peculiar  side 
effects. 

For  example,  consider  two  {lo,  Zi}-labelled  execution  systems,  whose  executions  are  as  depicted  in  the  left 
and  right  frames  respectively  of  Figure  2.  so  and  s2  are  not  bisimilar,  simply  because  there  is  an  execution 
starting  from  s3,  and  no  execution  starting  from  si.  But  why  should  we  care  if  there  is?  The  only 
execution  starting  from  s2  has  only  one  step,  labelled  lo,  and  is  in  perfect  agreement  with  the  only 
execution  starting  from  so,  which  also  has  only  one  step,  also  labelled  lo.  So,  intuitively,  there  is  no 
difference  in  branching  potential  between  the  two  states.  We  must  therefore  conclude  that  bisinrilarity  is, 
in  this  case,  inconsistent  with  our  informal  sense  of  equivalence  of  branching  structure. 

A  plausible  remedy  for  this  would,  informally,  be  the  following:  for  any  path  beginning  at  a  given  state, 
discount  any  branch  off  that  path  that  is  not  a  suffix  of  another  path  beginning  at  that  same  state.  And 
indeed,  this  would  work  for  this  particular  case.  But  there  are  more  problems. 

Consider  two  {lo,  h,  /2}-labelled  execution  systems,  whose  executions  are  as  depicted  in  the  left  and  right 
frames  respectively  of  Figure  3.  So  and  S5  are  bisimilar,  but  intuitively,  there  is  difference  in  branching 
potential  between  the  two  states:  the  two  executions  starting  from  So  diverge  right  away  at  So,  with  steps 
that  carry  identical  labels,  whereas  those  starting  from  S5  diverge  after  the  first  step,  at  so,  with  steps  that 
carry  different  labels.  Of  course,  the  explanation  here  is  that  there  is  no  execution  starting  from  S65  and  so, 
conceptually,  the  choice  between  the  diverging  steps  is  already  made  at  S5.  But  then,  what  is  the  point  of 
having  the  two  executions  share  the  state  S6? 
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Figure  3.  so  and  S5  are  bisimilar,  even  though  the  two  executions  starting  from  so  diverge  right  away  at  so, 
whereas  those  starting  from  S5  diverge  after  the  first  step  at  s@. 


By  now,  the  reader  should  begin  to  suspect  what  the  source  of  our  problems  is:  what  we  have  called 
“state”  in  our  systems  does  not  really  behave  as  such.  In  a  type  of  system  that  is  supposed  to  serve  as  a 
modelling  device  for  processes  of  some  kind,  it  is  essential  that  “the  future  behavior  depends  only  upon  the 
current  state,  and  not  upon  how  that  state  was  reached”.  And  this  is  not  always  the  case  here.  What  we 
need  to  do  is  constrain  the  structure  of  our  systems  so  that  it  is. 

Of  course,  this  idea  is  not  new.  The  quote  above  is  from  [39,  p.  176],  where  Lamport  required  that  the  set 
of  paths  in  a  path  structure  be  suffix  closed ,  in  the  sense  that  for  any  path  in  the  set,  any  suffix  of  that 
path  is  again  a  path  in  the  set.  It  was  later  observed  in  [25]  that  this  is  not  enough:  one  must  also  require 
that  the  set  of  paths  be  fusion  closed ,  in  the  sense  that  for  any  prefix  of  a  path  in  the  set,  and  any  suffix  of 
another  path  in  the  set,  if  the  former  ends  at  the  state  at  which  the  latter  begins,  then  their  fusion  at  that 
state  is  again  a  path  in  the  set  (see  [56]).  And  apparently,  it  was  Abrahamson,  in  [1],  that  first  considered 
path  structures  that  satisfied  both  requirements  (see  [19]). 

We  now  adapt  these  requirements  to  our  own  setting. 

We  say  that  ( S ,  E )  is  Abrahamson  if  and  only  if  the  following  are  true: 

(i)  for  every  s,  l,  s',  and  e',  if  s  \>e  ({l,  s'}}  ■  e',  then  s'  >e  e'; 

(ii)  for  every  s,  l,  s' ,  e'i,  and  e'2:  if  s  C>e  ((l,  s'}}  ■  dx  and  s'  \>e  e^,  then  s  \>e  {{l,  s'}}  ■  e'2. 

We  say  that  (C,  e)  is  Abrahamson  if  and  only  if  the  following  are  true: 

(iii)  for  every  c,  l,  d ,  and  e',  if  c  ((l,  c')}  ■  e',  then  d  t>e  e'; 

(iv)  for  every  c,  /,  c',  e[,  and  e'2 ,  if  c  >e  {(l,  c '}}  ■  dx  and  d  >e  e'2,  then  c  [>e  {{l,  c '}}  ■  e!2. 

Here,  (i)  and  (iii)  correspond  to  suffix  closure,  and  (ii)  and  (iv),  assuming  (i)  and  (iii)  respectively,  to 
fusion  closure. 

The  following  is  immediate  from  4.3(a): 

Proposition  4.7.  ( S,E )  is  Abrahamson  if  and  only  if  the  L-labelled  execution  coalgebra  (S,  fun  E)  is 
Abrahamson. 

We  write  L-LECAbr  for  the  category  whose  objects  are  all  the  Abrahamson  L-labelled  execution 
coalgebras,  and  arrows  all  the  homomorphisms  from  one  Abrahamson  L-labelled  execution  coalgebra  to 
another. 

L-LECAbr  is  clearly  a  full  subcategory  of  L-LEC,  and  a  good  example  of  a  case  where  certain  kinds  of 
structure  have  been  systematically  ruled  out.  If  we  are  to  use  an  L-labelled  execution  system  to  model  the 
behaviour  of  processes  of  some  kind,  then  we  must  rule  non-Abrahamson  systems  out.  And  in  that  case,  a 
final  L-labelled  execution  coalgebra  is  no  longer  the  right  choice  of  model;  it  is  simply  to  big,  containing 
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nonsensical  pieces  of  structure  that  are  neither  needed  nor  wanted.  The  following  allows  us  to  cut  any  such 
coalgebra  down  to  size: 

Theorem  4.8.  L-LECAbr  is  a  (Pow  o  Seq  o  (Lx  \d))- covariety. 

Proof.  Assume  an  Abraliamson  L-labelled  execution  coalgebra  (C,e). 

Suppose  that  (Chi,£hi)  is  a  homomorphic  image  of  (C,e). 

Then  there  is  a  surjective  homomorphism  h  from  (C,e)  to  (Chi,£hi)- 
Assume  chi,  l,  c7hi,  and  e'hi  such  that  chi  >£hi  {(l,dhi))  •  e'hi. 

Since  ft.  is  a  surjective  function  from  C  to  C'hi,  there  is  c  G  C  such  that  Chi  =  h(c).  And  since  h  is  a 
homomorphism  from  (C,e)  to  (Chi,£hi),  there  is  d  and  e!  such  that  c  >£  ((l,c'))  ■  e!  and 

((^c'hi))  •  ehi  =  ((l,  He')))  ■  Seq (L  x  h){e'). 

Since  (C,e)  is  Abrahamson,  d  t>e  e7,  and  thus,  since  h  is  a  homomorphism  from  (C,e)  to  (Chi,£hi), 

chi  ^Ehi  ehi- 

Assume  chi,  l,  dhi,  e'hil  and  e7hi2  such  that  chi  >£hi  {{l,  c'hi))  •  e'hil  and  c7hi  >£bi  e'hi2. 

Since  ft.  is  a  surjective  function  from  C  to  C'hi,  there  is  c  €  C  such  that  Chi  =  h{d).  And  since  h  is  a 
homomorphism  from  (C,e)  to  (Chi,£hi),  there  is  d,  dXl  and  such  that  c  >£  ((l,d))  ■  e[, 

(Hchi))  •  ehi!  =  ((l,Hc')))  •  Seq(L  x  h){e[), 


d  e'2,  and 

ehi2  =  SeHL  X  h)(e 2). 

Since  (C,  e)  is  Abrahamson,  c  >£  ((l,c'))  ■  e'2l  and  thus,  since  h  is  a  homomorphism  from  (C,e)  to  (Chi,£hi), 
Chi  >ehi  ((l,  Chi))  ‘  ehi2’ 

Thus,  by  generalization,  (Chi,£hi)  is  Abrahamson. 

Thus,  by  generalization,  L-LECAbr  is  closed  under  the  formation  of  homomorphic  images. 

Assume  an  Abrahamson  L-labelled  execution  coalgebra  ( C,e ). 

Suppose  that  (Csub,£Sub)  is  a  subcoalgebra  of  (C,e). 

Then  Csub  C  C  and  Csub  C  is  a  homomorphism  from  (Csub,£Sub)  to  (C,e). 

Assume  c,  l,  d ,  and  d  such  that  c[>£sub  ((l,d))  •  d . 

Since  Csub  C  C,  c,d  G  C.  And  since  Csub  C  is  a  homomorphism  from  (Csub,£Sub)  to  (C,e), 
c  >£  ((l,  c'))  •  d .  Since  (C,  e)  is  Abrahamson,  d  >£  e7,  and  thus,  since  Csub  Cis  a  homomorphism  from 

(Csub,£sub)  to  (C,  £),  c  [>£sub  e  . 

Assume  c,  l,  c',  e[  and  e'2  such  that  c  >£sub  ({l,  d))  •  e'x  and  d  >esub  d2. 

Since  Csub  C  C,  c,c'  G  C.  And  since  Csub  C  is  a  homomorphism  from  (Csub,£Sub)  to  (C,e), 
c  >£  ((l,  c'))  •  e7!  and  d  >£  e'2.  Since  (C,  e)  is  Abrahamson,  c  >£  ((l,  d))  •  d2  and  thus,  since  Csub  C  is  a 

homomorphism  from  (Csub,£Sub)  to  {C,d),  c  >£aub  (( l,d ))  ■  d2. 

Thus,  by  generalization,  (Csub,£Sub)  is  Abrahamson. 

Thus,  by  generalization,  L-LECAbr  is  closed  under  the  formation  of  subcoalgebras. 

Assume  a  class-indexed  family  {{Ci,^i)}ieI  of  Abrahamson  L-labelled  execution  coalgebras. 
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Let  (C,  e)  =  E ieiiCi’H)- 

Assume  c,  l,  d,  and  d  such  that  c  >e  (( l,c '))  •  e'. 

Since  (C,  e)  =  Eie/  (Ci;  7i),  there  is  j  £  I  and  Cj  £  Cj  such  that  c  =  (inj  ■  E;e/  C*)(cj)-  And  since 

injj  E jg/Cj  is  a  homomorphism  from  (Cj,£j)  to  (C,  e),  there  is  c'-  and  e'  such  that  c,  t>£j.  ({Z,c'-))  •  e'  and 

«^c')}  '  e'  =  {{^(injj  ^C'i)^')})  •  Seq(L  x  inj^  ^  C^e'-). 

ie/  i&I 

Since  ( Cj,£j )  is  Abrahamson,  c'  >£j  e',  and  thus,  since  injj  E ieid'i  is  a  homomorphism  from  ( Cj,£j )  to 
(C,e),  d  \>e  e! . 

Assume  c,  l,  d ,  e{  and  e2  such  that  c  \>e  {(1,  d))  ■  e[  and  d  >e  e2. 

Since  (C,  e)  =  Eie/  7i),  there  is  j  £  /  and  c,  £  Cj  such  that  c  =  (inj^  Eiej  Ci)(cy).  And  since 

injj  Eie/  C*  is  a  homomorphism  from  (Cj,£j)  to  (C,  e),  there  is  c' ,  e'-  and  e'-  such  that  c,-  >Ej.  ((Z,  c' ))  ■  e'  , 

((Z,c'))  ■  ei  =  <<l,  (inj,.  £<* )(<$)>>  ■  Seq(L  x  inj 

iel  i£l 

d3  >*i  (  [ir  and 

e2  =  Seq(X  x  inL  51  Ci)(e'  2). 

ie/ 

Since  ( Cj,£j )  is  Abrahamson,  >£j  ((Z,c'))  •  e2j  and  thus,  since  inj^  Eie/Ci  is  a  homomorphism  from 
<Cj,£j)  to  (C.e),  c>£  ((/,  c'))  •  e2. 

Thus,  by  generalization,  (C,  e),  or  equivalently,  Eie/  (Ci,7i),  is  Abrahamson. 

Thus,  by  generalization,  L-LECAbr  is  closed  under  the  formation  of  direct  sums. 

Thus,  L-LECAbr  is  a  (Pow  o  Seq  o  (Lx  ld))-covariety.  □ 

The  following  is  immediate  from  Theorem  2.24: 

Corollary  4.9.  There  is  an  L-labelled  execution  coalgebra  that  is  final  in  L-LECAbr- 

Thus,  by  Theorem  2.23,  there  is  a  strongly  extensional  Abrahamson  L-labelled  execution  coalgebra  that 
subsumes  the  structure  of  every  other  Abrahamson  L-labelled  execution  coalgebra. 

4.4  Underlying  labelled  transition  systems  and  coalgebras 

In  an  Abrahamson  system,  there  is  a  clear  notion  of  a  “possible  next  step”  relation,  which  induces  the 
construction  of  an  associated,  or  better,  underlying  labelled  transition  system.  From  a  mathematical 
standpoint,  this  construction  makes  sense  for  a  non-Abrahamson  system  as  well,  and  is  most  conveniently 
carried  out  on  the  coalgebra  side  of  the  theory. 

Assume  a  class  C. 

We  write  ri(C)  for  a  class  function  from  PowSeqfL  x  C)  to  Pow(L  x  C)  such  that  for  every 
S  £  Pow  Seq  (L  X  C), 

r\(C)(S)  =  {head  s  \  s  £  S  and  s/(  )}. 
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Our  choice  of  notation  here  is  not  arbitrary.  We  think  of  r|  as  an  operator  that  assigns  to  every  class  C  a 
class  function  from  its  image  under  Pow  o  Seq  o  (Lx  Id)  to  its  image  under  Pow  o  (Lx  Id).  And  what  is 
interesting  about  this  operator  is  that  for  every  class  function  /  :  C\  — >  C2, 

ri (C2 )  o  PowSeq(L  X  /)  =  Pow(L  x  /)  ori(C'i), 
or  equivalently,  the  following  diagram  commutes: 


Pow  Seq (L  x  C\) 


Pow  Seq  (L  X  /) 


Pow  Seq(L  x  C2) 


n(Ci) 


Pow(L  x  Ci) 


Pow(L  x  /) 


n(C2) 


Pow(L  x  C2) 


In  the  language  of  category  theory,  this  makes  r|  a  natural  transformation  from  Pow  o  Seq  o  (L  x  Id)  to 
Pow  o  (L  x  Id). 

The  reason  why  it  is  of  interest  to  us  here  that  r|  is  a  natural  transformation  is  a  theorem  by  Rutten, 
according  to  which,  every  natural  transformation  v  from  an  endofunctor  T\  on  Class  to  an  endofunctor  E2 
on  Class  induces  a  functor  from  T\-Coalg  to  F2-Coalg  that  assigns  to  every  T\-coalgebra  (C,  7)  the 
E2-coalgebra  (C,r|(C)  07),  and  to  every  homomorphism  h  from  an  Ei-coalgebra  (Ci,7i)  to  an 
fi-coalgebra  (C2,72)  that  same  class  function  h,  which  is  now  a  homomorphism  from  the  E2-coalgebra 
(Ci,ri(Ci)  071)  to  the  E2-coalgebra  (C2,ri(C2)  o72)  (see  [58,  thm.  15.1]).  In  other  words,  the  induced 
functor  preserves  homomorphisms,  and  thus,  by  Theorem  2.6,  bisimulations  too. 

In  our  case,  the  functor  induced  by  7  is  a  forgetful  functor,  which,  informally,  keeps  only  the  first  step,  if 
any,  from  any  execution  starting  from  any  state,  and  discards  the  rest. 

The  following  is  immediate  from  Rutten’s  theorem,  but  a  more  direct  proof  would  require  only  little  extra 
work: 


Theorem  4.10.  If  h  is  a  homomorphism  from  (Ci,£\)  to  (C2,£2),  then  h  is  a  homomorphism  from  the 
L-lahelled  transition  coalgebra  (Ci,ri(Ci)  oei)  to  the  L-labelled  transition  coalgebra  (C2,ri(C2)  oe2). 

The  following  is  now  immediate  from  Theorem  2.6  and  4.10: 

Corollary  4.11.  If  B  is  a  bisimulation  between  (C i,£i)  and  (C2,e2),  then  B  is  a  bisimulation  between  the 
L-labelled  transition  coalgebras  (Ci,r|(Ci)  o^)  and  (C2,q(C2)  o£2). 

Of  course,  we  can  translate  all  this  back  to  the  system  side  of  the  theory. 

Assume  a  binary  relation  E  :  S  O  S^(L  x  S). 

We  write  transS  for  a  binary  relation  between  S  and  L  x  S  such  that  for  any  s  G  S  and  any  (l,  s')  £  L  x  S , 
s  (trans-E)  (l,  s')  <$==>■  there  is  e  such  that  s  E  e,  e  7^  (  ),  and  head  e  =  (l,  s'). 

The  following  is  trivial: 

Proposition  4.12.  trans  E  =  rel (r| (/S')  o  fun  E). 

The  following  is  now  immediate  from  Proposition  3.3(b),  3.7,  and  4.6,  Corollary  4.11,  and  Proposition  4.12: 

Theorem  4.13.  If  B  is  a  bisimulation  between  (Si,E\)  and  (5'2,E2),  then  B  is  a  bisimulation  between  the 
L-labelled  transition  systems  (Si,  trans  Ef)  and  (S2,  trans E2). 
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Figure  4.  so  and  s2  are  bisimilar  among  the  two  underlying  {/}-labelled  transition  systems,  which  are 
identical,  but  not  among  the  two  {/}-labelled  execution  systems. 
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Figure  5.  so  and  S4  are  bisimilar  among  the  two  underlying  {Zo ,  h,  ^-labelled  transition  systems,  which  are 
identical,  but  not  among  the  two  {Zo ,  Zi ,  ^-labelled  execution  systems. 


4.5  Generable  systems  and  coalgebras 

The  converse  of  Theorem  4.13  is  of  course  false,  as  is  that  of  Theorem  4.10  and  Corollary  4.11.  But  it  is 
instructive  to  see  exactly  where  it  fails.  We  go  over  it  through  a  series  of  simple  examples. 

First,  suppose  that  (Si,Ei)  and  (S2,.E2)  are  two  {Z}-labelled  execution  systems,  whose  executions  are  as 
depicted  in  the  left  and  right  frames  respectively  of  Figure  4.  Then  Sq  and  s2  are  bisimilar  among  the 
{Z}-labelled  transition  systems  (Si,  trans E\)  and  (S2,  transit),  but  not  among  {S\,Ei)  and  (S2,£’2). 

The  problem  is  easy  to  spot  here.  The  two  systems  have  one  execution  each.  But  whereas  the  execution  of 
the  first  system  has  only  one  step,  the  execution  of  the  second  has  two.  And  that  second  step,  which  is  the 
cause  for  So  and  s2  not  being  bisimilar  among  the  two  systems,  is  dropped  during  the  underlying  labelled 
transition  system  construction. 

Now  suppose  that  (Si,  £4)  and  (S2,£2)  are  two  {Zodi^2}-labelled  execution  systems,  whose  executions  are 
as  depicted  in  the  left  and  right  frames  respectively  of  Figure  5.  Then  so  and  S4  are  bisimilar  among  the 
{Z0,Zi,  ^-labelled  transition  systems  (Si,  trans £1)  and  (S2,trans£2),  but  not  among  (Si,Ei)  and  (S2,£2). 

Here  the  problem  is  of  a  different  nature.  Every  step  of  every  execution  is  accounted  for  in  the  underlying 
labelled  transition  systems.  However,  the  two  longer  executions,  starting  from  so  and  S4  respectively, 
disagree  on  their  second  step,  and  that  disagreement  is  masked  by  the  agreement  of  executions  starting 
from  Si  and  S5  respectively. 

These  two  examples  were  specially  chosen  to  target  the  two  defining  clauses  of  the  Abrahamson  property. 
Specifically,  and  informally,  the  systems  in  the  first  example  are  not  suffix  closed,  thus  violating  clause  (i) 
of  the  property,  whereas  those  in  the  second  are  not  fusion  closed,  thus  violating  clause  (ii).  Overall,  none 
of  them  is  Abrahamson.  And  since  our  construction  was  based  on  the  idea  of  a  “possible  next  step” 
relation,  which,  in  the  case  of  a  non- Abrahamson  system,  is  a  conceptually  ambiguous  notion,  it  is  no 
surprise  that  non- bisimilar  states  can  turn  bisimilar  in  the  underlying  systems. 
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Figure  6.  s  is  not  bisimilar  with  itself  among  the  overlying  {Zo ,  Zi}-labelled  execution  system  whose 
executions  correspond  to  all  infinite  paths  in  the  diagram,  and  that  whose  executions  correspond  to  the  infinite 
paths  that  go  through  each  of  the  two  loops  infinitely  often. 


With  Abrahamson  systems,  things  get  much  more  interesting.  In  the  rest  of  our  examples,  we  shall  focus 
on  such  systems.  And  as  afforded  with  such  systems,  we  shall  communicate  their  structure  more  casually, 
simply  drawing  a  diagram  of  the  underlying  labelled  transition  system,  and  describing  the  set  of  paths  in 
that  diagram  that  correspond  to  their  executions. 

Consider  then  the  {Zo,  /i}-labelled  transition  system,  with  Iq  ^  h,  portrayed  in  Figure  6.  One 
{Zo,  Zi}-labellcd  execution  system  lying  over  this  labelled  transition  system  is  the  one  whose  executions 
correspond  to  all  infinite  paths  in  the  diagram.  Another  is  the  one  whose  executions  correspond  to  those 
infinite  paths  that  go  through  each  of  the  two  loops  infinitely  often.  And  of  course,  s  is  not  bisimilar  with 
itself  among  the  two. 

Notice  that  if  we  let  Iq  =  a  and  l\  =  b,  then  the  two  {Zo,  Zi}-labelled  execution  systems  in  this  example 
become  models  of  the  right  and  left  side  agents  respectively  of  (2).  Accordingly,  we  may  think  of  each  of 
these  two  systems  as  a  specification  of  a  scheduling  policy  between  two  processes,  forever  iterating  over  Iq 
and  Z i  respectively,  on  a  single  processing  unit.  Under  the  first  policy,  the  scheduler  is  only  required  to 
guarantee  progress  of  execution,  simply  picking  at  random  one  process  at  a  time.  Under  the  second,  it  is 
further  required  to  be  fair,  taking  care  that  there  is  no  point  in  time  after  which  a  process  is  forever 
neglected.  But  whereas  its  behaviour  in  the  first  case  is  completely  specified  by  the  underlying 
{Zo,  Zi}-labelled  transition  system,  in  the  second  case,  it  cannot  be  specified  by  any  {Zo,  Zi}-labelled 
transition  system  alone. 

Besides  demonstrating  the  failure  of  the  converse  of  Theorem  4.13  for  Abrahamson  systems,  this  example 
attempts  to  display  the  increase  in  expressive  power  and  branching  complexity  that  moving  from  a  labelled 
transition  to  a  labelled  execution  system  can  bring.  But  it  does  so  inadequately.  For  one  need  not  really 
move  to  a  labelled  execution  system  to  specify  the  behaviour  of  the  scheduler  under  that  second  policy. 

One  can  just  augment  the  given  labelled  transition  system  with  the  set  of  all  infinite  sequences  over  {Zo,  Zi } 
corresponding  to  a  fair  interleaving  of  the  two  processes.  And  in  fact,  the  concept  of  bisimulation  between 
labelled  transition  systems  can  be  generalized  to  account  for  this  kind  of  augmentation  by  simply  adding  a 
third  clause  to  Definition  3.2  that  tests  for  inclusion  between  the  sets  of  “admissible”  sequences  of  labels 
associated  with  each  state.  This  gives  rise  to  the  less  known  concept  of  fortification  equivalence,  one  of  the 
alternative  approaches  to  the  semantics  of  finite  delay  considered  by  Milner  in  [44] ,  and  a  perfectly  adequate 
approach  to  the  specification  of  the  two  scheduling  policies  in  our  example.  What  we  want  is  another 
example  that  will  expose  the  shortcomings  of  this  type  of  approach,  and  vindicate  our  present  venture. 

Consider  then  the  {Zo, l\ {-labelled  transition  system,  with  Iq  ^h,  portrayed  in  Figure  7.  The  first 
{Zo,  Zi}-labellcd  execution  system  that  we  wish  to  consider  here  is  the  unique  Abrahamson  system  whose 
executions  starting  from  so  correspond  to  all  maximal  paths  in  this  diagram.  The  second  is  the  one  whose 
executions  are  all  the  executions  of  the  first  except  the  single  infinite  execution  stuttering  around  So-  And 
because  of  this  exception,  so  is  not  bisimilar  with  itself  among  the  two  systems. 

This  beautiful  example  is  from  [5],  where  it  was  used  to  attack  precisely  the  type  of  approach  discussed 
above.  Here,  it  is  perhaps  convenient  to  think  of  the  two  systems  as  modelling  the  behaviour  of  two 
distinct  processes,  both  initialized  at  s0-  The  first  process  will  either  loop  around  Sq  forever,  or  iterate 
through  it  for  a  finite,  indeterminate  number  of  times  before  progressing  to  sj.  From  there  on,  a  single 
indeterminate  choice  will  decide  its  fate.  The  second  process,  on  the  other  hand,  is  not  allowed  to  loop 
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Figure  7.  so  is  not  bisimilar  with  itself  among  the  overlying  Abrahamson  {lo,  Zi}-labelled  execution  system 
whose  executions  starting  from  so  correspond  to  all  maximal  paths  in  the  diagram,  and  that  whose  executions 
are  all  the  executions  of  the  first  system  except  the  infinite  execution  stuttering  around  so- 
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Figure  8.  s  is  not  bisimilar  with  itself  among  the  overlying  {Z}-labelled  execution  system  whose  single 
execution  corresponds  to  the  only  infinite  path  in  the  diagram,  and  that  whose  executions  correspond  to  all 
finite  paths  and  the  only  infinite  path. 


around  so  forever.  It  must  eventually  advance  to  Si,  from  where  on  it  behaves  just  like  the  first  one.  What 
sets  the  behaviour  of  the  two  processes  apart  is,  of  course,  the  infinite  stuttering  around  so,  permitted  for 
the  first  process,  but  not  the  second.  However,  this  is  something  that  cannot  be  determined  by  the 
sequences  of  actions  that  the  two  processes  perform  in  the  course  of  their  executions,  for  the  trace  of  that 
infinite  stuttering  is  matched  by  that  of  every  infinite  execution  that  eventually  loops  around  S2-  And  yet 
the  two  processes  ought  to  be  distinguished.  For  during  that  infinite  stuttering,  the  first  process  may 
always  choose  to  branch  off  to  a  state  from  which  it  can  perform  l\,  whereas,  in  every  execution  having 
that  trace,  the  second  must  eventually  reach  a  state  from  which  it  cannot  ever  do  so. 

With  respect  to  the  failure  of  the  converse  of  Theorem  4.13,  both  this  and  the  previous  example  point  at 
the  same  problem:  the  existence  of  an  infinite  path  in  the  diagram  that  does  not  correspond  to  any 
execution  of  a  system,  but  whose  every  finite  prefix  is  a  prefix  of  another  path  that  does. 

This  too  is  something  that  has  already  come  up  in  the  investigation  of  path  structures  in  temporal  logic.  In 
[25],  Emerson  called  a  set  of  paths  limit  closed  provided  that  for  every  infinite,  strictly  increasing  chain  of 
finite  prefixes  of  paths  in  that  set,  the  limit  of  that  chain,  in  the  standard  topology  of  sequences,  is  again  a 
path  in  the  set.  This  is  essentially  a  continuity  property  implying  that  a  set  of  paths  be  determined  by  the 
finite  prefixes  of  paths  in  that  set,  and  was  apparently  also  first  considered  in  [1].  But  it  was  Emerson  in 
[25]  who  proved  the  independence  of  all  three  closure  properties,  and  the  equivalence  of  their  conjunction 
to  the  existence  of  a  transition  relation  generating  the  given  set  of  paths.  Apart  from  the  absence  of  labels, 
which  has  no  bearing  in  this  particular  discussion,  Emerson’s  setup  was  different  in  that  paths  were  always 
infinite.  But  this  too  is  of  no  importance  in  our  examples,  which,  in  light  of  Emerson’s  result,  appear  to 
implicate  violation  of  limit  closure  in  the  failure  of  the  underlying  labelled  transition  system  to  subsume  all 
the  branching  information  relevant  to  a  given  Abrahamson  system. 

Our  next  example  is  perhaps  the  most  curious  one. 

Consider  the  simple  {Z}-labelled  transition  system  portrayed  in  Figure  8.  There  are  exactly  three 
Abrahamson  {/}-labelled  execution  systems  that  one  can  lay  over  this  labelled  transition  system.  The  first 
is  the  one  whose  only  execution  corresponds  to  the  only  infinite  path  in  the  diagram.  The  second  is  the  one 
whose  executions  correspond  to  all  finite  paths  in  the  diagram.  And  of  course,  the  third  is  the  one  whose 
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Figure  9.  s  is  not  bisimilar  with  itself  among  the  overlying  {Z}-labelled  execution  system  that  has  no 
execution,  and  that  whose  only  execution  is  the  empty  execution. 


executions  are  all  executions  of  the  first  and  second  system.  But  s  is  not  bisimilar  with  itself  among  any 
two  of  the  three. 

Informally,  the  second  system  is  not  limit  closed,  and  this  is  one  part  of  the  problem.  But  the  first  and 
third  are,  and  so  there  must  be  something  more  going  on  here.  The  answer  is  in  the  difference  between 
Emerson’s  setup  and  ours  mentioned  earlier.  Here,  executions  are  not  always  infinite.  In  a  system  that  is, 
informally,  suffix  closed,  if  there  is  a  finite  execution,  then  there  is  an  empty  execution.  And  an  empty 
execution  creates  a  type  of  branching  that  is  impossible  to  mimic  in  a  labelled  transition  system. 

In  an  Abrahamson  system  that  is  used  to  model  the  behaviour  of  a  process,  an  empty  execution  can  be 
used  to  model  termination.  But  if  there  is  another,  non-empty  execution  starting  from  the  same  state,  then 
termination  becomes  a  branching  choice,  one  that  does  not  show  up  in  the  “possible  next  step”  relation  of 
the  system.  This  feature  of  indeterminate  termination,  as  we  might  call  it,  can  seem  a  little  odd  at  first,  but 
is  really  a  highly  versatile  mechanism,  particularly  useful  in  modelling  idling  in  absence  of  input  stimuli. 

Finally,  consider  the  trivial  labelled  transition  system  portrayed  in  Figure  9.  There  are  exactly  two  labelled 
execution  systems  that  one  can  lay  over  this  labelled  transition  system:  one  that  has  one  execution,  the 
empty  execution,  and  one  that  has  no  execution.  And  of  course,  s  is  not  bisimilar  with  itself  among  the  two. 

This  degenerate  case  deserves  little  comment.  We  only  remark  that  in  a  suffix  closed  system,  if  a  state  has 
no  execution  starting  from  it,  then  it  has  no  execution  going  through  it. 

At  this  point,  we  have  found  five  possible  causes  of  failure  for  the  converse  of  Theorem  4.13.  We  have 
chosen  our  examples  carefully,  to  examine  each  of  the  five  separately  and  independently  from  one  another. 
And  we  have  observed  how  each  of  the  first  three  connects  to  violation  of  one  of  the  three  closure 
properties  that  have  been  shown  to  collectively  characterize  sets  of  infinite  paths  generable  by  a  transition 
relation.  But  finite  paths  add  another  dimension  to  the  problem,  rendering  Emerson’s  characterization 
result  obsolete.  What  we  will  show  next  is  that  impossibility  of  indeterminate  termination,  along  with  a 
non-triviality  condition  guarding  against  the  occurrence  of  an  isolated  state,  can  be  added  to  the  conditions 
of  suffix,  fusion,  and  limit  closure,  to  produce  a  complete  characterization  of  system  generability,  insensitive 
to  the  length  of  the  executions. 

First,  we  need  to  make  the  notion  of  generability  precise.  For  generality,  we  transfer  ourselves  again  to  the 
coalgebra  side  of  the  theory. 

Assume  a  class  function  r  :  C  — >  Pow (L  x  C). 

Assume  c  £  C. 

Assume  e  £  5eq(L  x  C). 

We  say  that  e  is  a  r-orbit  of  c  if  and  only  if  the  following  are  true: 

(i)  one  of  the  following  is  true: 

(1)  r(c)  =  0  and  e  =  (  ); 

(2)  there  is  l,  c',  and  e'  such  that  (l,  c ')  £  r(c)  and  e  =  ((l,  c '))  ■  e'; 

(ii)  for  every  n  £  uj,  if  tail"  e  ^  (  ),  then  one  of  the  following  is  true: 

(1)  there  is  l  and  c'  such  that  r(c')  =  0  and  tail"  e  =  ((/,  c')); 
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(2)  there  is  l,  d ,  l',  c",  and  e"  such  that  (l',c")  £  t(c')  and  tail”  e  =  (( l,c '))  ■  ((l',c"))  ■  e" . 

Here  again,  it  is  the  computational  interpretation  that  is  most  helpful.  If  we  think  of  r  as  a  representation 
of  the  control  flow  graph  of  a  possibly  indeterminate  sequential  program,  then  a  r-orbit  of  c  corresponds  to 
a  total  execution  of  that  program  starting  from  the  node  represented  by  c. 

Now,  we  would  like  to  say  that  a  class  function  from  C  to  PowSeq(L  xC1))  is  generated  by  r  just  as  long 
as  it  assigns  to  any  c  £  C  the  set  of  all  r-orbits  of  c.  But  first,  we  need  to  make  sure  that  this  really  is  a 
set,  and  not  a  proper  class. 

We  write  Wr(c)  for  a  class  function  from  u>  to  Pow(L  x  C )  such  that 
WT  (c)(0)  =  t(c), 
and  for  every  n  £  uj, 

W r(c)(n  +  1)  =  U  {' t( d)  |  there  is  l  such  that  (l,  d)  £  WT(c)(n)}. 

We  think  of  WT(c)  as  a  wave  emitted  by  c,  and  propagating  through  L  x  C  according  to  r,  and  WT(c)(n) 
as  the  wavefront  at  the  ?rtli  time  instance. 

Proposition  4.14.  If  e  is  a  r-orbit  of  c,  then  for  every  n  £  uj ,  if  tail”  e  7^  (  ),  then  head  tail”  e  £  WT(c)(n). 
Proof.  We  use  induction. 

If  n  =  0,  then  tail"  e  =  e.  Thus,  if  tail"  e  /  (  ),  then  there  is  l,  d ,  and  e'  such  that  (l,  d)  £  t{c )  and 
tail"  e  =  ((l,  d))  ■  d . 

Hence,  head  tail"  e  £  WT(c)(n). 

Otherwise,  there  is  m  £  w  such  that  n  =  m  +  1.  Then,  if  tail"  e  /  (  ),  then  tailm  e  /  (  ).  Thus,  there  is  l , 
c',  l1,  d',  and  e"  such  that  ( l',d ')  £  r(c') 

tail1"  e  =  ((l,  d))  ■  {(l1,  c"))  ■  e" . 

By  the  induction  hypothesis,  head  tail™  e  €  Wr(c)(m),  and  so,  ( l,d )  £  W T(c)(m).  Thus, 

(l',  c")  £  W T(c)(m  +  1),  and  since 

head  tail"  e  =  head  tail’"+1  e  =  (l1 ,  c"), 

head  tail"  e  £  Wr(c)(n). 

Therefore,  for  every  n  £  oj,  if  tail"  e  /  (  ),  then  head  tail"  e  £  WT(c)(n).  □ 

Proposition  4.15.  For  every  n  £  w,  WT(c)(n)  is  a  set. 

Proof.  We  use  induction. 

If  n  =  0,  then  Wr(c)(n)  =  r(c),  which,  by  definition  of  Pow,  is  a  set. 

Otherwise,  there  is  in  £  lo  such  that  n  =  m  +  1.  By  the  induction  hypothesis,  W T(c)(m)  is  a  set.  Then 
clearly,  W T(c)(m  +  1)  is  a  set,  and  so  W T(c)(n)  is  a  set. 

Therefore,  for  every  n  £  uj,  WT(c)(n)  is  a  set.  □ 

Proposition  4.16.  {e  \  e  £  Seq(L  x  C)  and  e  is  a  r-orbit  of  c}  is  a  set. 
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Proof.  By  Proposition  4.14,  for  every  e  G  Seq (L  x  C),  if  e  is  a  r-orbit  of  c,  then 


graph  e  C  (J  {{?r}  x  Wr(c)(n)  |  n  G  w}. 

Thus, 


{graph  e  |  e  G  Seq(L  x  C)  and  e  is  a  r-orbit  of  c} 
is  a  set,  and  by  replacement, 

{e  |  e  G  Seq(L  x  C)  and  e  is  a  T-orbit  of  c} 

is  a  set.  □ 

Proposition  4.15  and  4.16  will  be  taken  for  granted  in  the  sequel. 

We  write  gen  r  for  a  class  function  from  C  to  PowSeq(L  x  C)  such  that  for  any  c  G  C, 

(gen  r)(c)  =  {e  |  e  G  Seq(L  x  C)  and  e  is  a  r-orbit  of  c}. 

Assume  a  class  function  e  :  C  — >  PowSeq(L  x  C). 

We  say  that  r  generates  e  if  and  only  if  gen  r  =  e. 

We  say  that  e  is  generable  if  and  only  if  there  is  a  class  function  from  C  to  Pow(L  x  C)  that  generates  e. 

Now,  suppose  that  e  is  indeed  generable.  Can  there  be  more  than  one  class  function  from  C  to  Pow(L  x  C ) 
that  generates  el 

We  could  perhaps  use  the  following  tentative  argument  to  convince  ourselves  that  this  cannot  be  the  case: 
if  ri  and  T2  are  two  different  class  functions  from  C  to  Pow(L  x  C),  then  there  must  be  c  G  C  and 
(l,c')  G  L  x  C  such  that  either  (l,c')  G  ri(c)  and  (l,d)  ^  r2(c),  or  (l,c')  ri(c)  and  (l,c')  G  r2(c);  and 
assuming,  without  any  loss  of  generality,  the  former,  we  can  prefix  any  ri-orbit  of  d  with  (l,d)  to  get  a 
ri-orbit  of  c  that  cannot  be  a  r2-orbit  of  c.  But  how  do  we  know  if  there  is  a  ri-orbit  of  d  to  prefix  with 

M? 

If  ri(c')  =  0,  then  (  )  is  a  n -orbit  of  d .  If  ri(c')  ^  0,  then  we  would  again  expect  that  there  is  at  least  one 
ri-orbit  of  d .  For  we  could  imagine  constructing  one  by  first  choosing  a  pair  (l',  c")  in  ri(d),  then  a  pair 
{l",  d")  in  Ti(c"),  then  a  pair  d"')  in  r1(c,,/),  and  so  on  forever,  or  until  we  reach  a  point  where  there  is 
no  pair  to  choose.  If  we  never  reach  such  a  point,  then  this  construction  will  involve  an  infinite  number  of 
choices.  This  suggests  that  the  Axiom  of  Choice,  or  some  other,  weaker  form  of  it,  might  be  necessary  to 
prove  the  statement  that  for  every  suitable  r  and  c,  there  is  a  r-orbit  of  c.  And  indeed,  this  statement  is 
equivalent  to  the  Axiom  of  Dependent  Choice. 

We  will  need  the  following  lemma: 

Lemma  4.17.  For  every  n  G  lo,  if  there  is  (/,  d)  G  Wr(c)(n)  and  e!  G  Seq(L  x  C)  such  that  d  is  a  r-orbit 
of  d ,  then  there  is  e  G  Seq(L  x  C)  such  that  e  is  a  r-orbit  of  c. 

Proof.  We  use  induction. 

If  n  =  0,  then  (l,  d)  G  r(c),  and  ((l,  d))  ■  d  is  a  r-orbit  of  c. 

Otherwise,  there  ismGw  such  that  n  =  m  +  1.  By  definition  of  WT(c),  there  is  (l' ,  c")  G  W  T(c)(m)  such 
that  (l,d)  G  r(c"),  and  (( l,c' ))  •  d  is  a  r-orbit  of  c" .  Thus,  by  the  induction  hypothesis,  there  is 
e  G  Seq(L  x  C)  such  that  e  is  a  r-orbit  of  c. 

Therefore,  for  every  n  G  w,  if  there  is  (l,  d)  G  WT(c)(n)  and  d  G  Seq(L  x  C)  such  that  d  is  a  r-orbit  of  c', 
then  there  is  e  G  Seq(L  x  C)  such  that  e  is  a  r-orbit  of  c.  P 
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Theorem  4.18.  The  following  are  equivalent: 

(a)  for  every  class  C,  every  class  function  r  :  C  — >  Pow(L  x  C),  and  any  c  £  C ,  there  is  e  £  Seq(L  x  C) 
such  that  e  is  a  r-orbit  of  c; 

(b)  for  every  non-empty  set  S  and  every  binary  relation  R  on  S,  if  for  every  s  £  S,  there  is  s'  such  that 
s  R  s' ,  then  there  is  an  infinite  sequence  d  over  S  such  that  for  every  n  £  ui, 

head  tail"  d  R  head  tail"+1  d. 

Proof.  Suppose  that  (a)  is  true. 

Assume  a  non-empty  set  S. 

Let  l  be  a  label  in  L. 

Let  r  be  a  class  function  from  S  to  Pow(L  x  S )  such  that  for  every  s  £  S, 
t(s)  =  {(1,s')\sRs'}. 

Let  s  be  a  member  of  S. 

Since  (a)  is  true,  there  is  e  £  Seq(L  x  S)  such  that  e  is  a  r-orbit  of  s.  And  by  an  easy  induction,  for  every 
n  £  u,  tail"  e/(  ). 

Let  d  be  an  infinite  sequence  over  S  such  that  for  every  n  £  w, 

head  tail"  d  =  sec  head  tail"  e. 

Then,  by  an  easy  induction,  for  every  n  £  u>,  head  tail"  d  R  head  tail"+1  d. 

Thus,  by  generalization,  (b)  is  true. 

Conversely,  suppose  that  (b)  is  true. 

Assume  a  class  C,  a  class  function  r  :  C  — >  Pow(L  x  C),  and  c  £  C. 

If  r(c)  =  0,  then  (  )  is  a  r-orbit  of  c. 

Otherwise,  WT (c)(0)  7^  0. 

If  there  isn£w  and  c'  £  WT(c)(n)  such  that  r(c')  =  0,  then  (  )  is  a  r-orbit  of  d .  Thus,  by  Lemma  4.17, 
there  is  e  £  Seq(L  x  C)  such  that  e  is  a  r-orbit  of  c. 

Otherwise,  for  every  n  £  oj  and  every  d  £  WT(c)(n),  r(c')  7^  0. 

Let  S  =  U  |WT(c)(n)  |  n  £  w}. 

Then,  since  WT  (c)(0)  7 -  0,  S  7^  0. 

Let  R  be  a  binary  relation  on  S  such  that  for  every  (l,  d),  (l',  c")  £  S, 

(l,d)  R{l',c")  «=»  {l',d')  £r(d). 

Then  for  every  (l,d)  £  S,  there  is  ( l',d ')  such  that  (l,d)  R  ( l',d '),  and  thus,  since  (b)  is  true,  there  is  an 
infinite  sequence  d  over  S  such  that  for  every  n  £  u,  head  tail"  d  R  head  tail"+1  d.  And  clearly,  there  is 
n  £  u  and  (l,  c')  £  W T(c)(n)  such  that 

head  d  =  (l,  d) 

and  tail  d  is  a  r-orbit  of  c' .  Thus,  by  Lemma  4.17,  there  is  e  £  Seq(L  x  C)  such  that  e  is  a  r-orbit  of  c. 
Thus,  by  generalization,  (a)  is  true.  P 
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Here,  we  accept  the  Axiom  of  Dependent  Choice,  and  so  we  will  take  Theorem  4.18(a)  for  granted. 

We  can  now  make  our  tentative  argument  formal. 

Assume  class  functions  t1;T2  :  C  — >  Pow (L  x  C). 

Proposition  4.19.  If  n  7^  t-i,  then  gen  t\  7^  genr2. 

Proof.  Suppose  that  t\  ^  ti- 

Then  there  is  c,  l ,  and  c'  such  that  either  ( l,c ')  £  ti(c)  and  (l,d)  r2(c),  or  ( l,c ')  $.  ri(c)  and  (l,d)  £  r2(c). 

Without  any  loss  of  generality,  assume  the  former. 

Let  e!  be  a  sequence  in  Seq(L  x  C)  that  is  a  ti -orbit  of  c! . 

Let  e  =  {{l,  d))  ■  d . 

Then  e  £  (gen  r^c),  but  e  ^  (gen  r2)(c).  Thus,  gen  n  7^  genr2.  □ 

If  we  think  of  gen  as  an  operator  from  cooperations  of  L-labelled  transition  coalgebras  to  cooperations  of 
L-labelled  execution  coalgebras,  then  we  can  read  Proposition  4.19  as  saying  that  that  operator  is  injective. 
So  it  must  have  a  left  inverse.  The  following  shows  that  that  left  inverse  is  the  composition  on  the  left  with 
the  image  of  the  carrier  of  the  corresponding  L-labelled  execution  coalgebra  under  t|: 

Proposition  4.20.  The  following  are  true: 

(a)  ri(C')  ogenr  =  t; 

(b)  if  £  is  generable,  then  e  =  gen^C)  oe). 

Proof.  Assume  c  £  C. 

Assume  (l,  d)  £  L  x  C. 

Suppose  that  (l,d)  £  ('n(C')  o  gen  t)(c). 

Then  there  is  e  £  (gen  r)(c)  such  that  head  e  =  (l,d),  and  thus,  (l,d)  £  r(c). 

Conversely,  suppose  that  (l,d)  £  t(c). 

Let  d  be  a  sequence  in  Seq(L  x  C)  that  is  a  r-orbit  of  d. 

Then  (( l,d ))  •  d  £  (gen  t)(c),  and  thus,  (l,d)  £  ('n(C')  o  gen  r)(c). 

Thus,  (l,d)  £  ('n(C)  o  gen  r)(c)  if  and  only  if  ( l,d )  £  r(c). 

Thus,  by  generalization,  (a)  is  true. 

We  will  now  use  (a)  to  prove  (b). 

Suppose  that  e  is  generable. 

Then  there  is  a  class  function  t'  :  C  — t  Pow(L  x  C)  such  that 
gen  t'  =  e. 

Thus, 

r)(C)  ogenr'  =q(C)  oe, 
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and  hence,  by  (a), 
t'  =  T](C)  oe. 

Thus,  (b)  is  true.  □ 

Before  we  move  on  to  our  characterization  theorem,  we  have  one  last  stop  to  make.  We  have  built  our 
notion  of  generability  around  the  idea  of  a  r-orbit.  And  we  have  tried  to  formalize  the  latter  in  the  most 
conceptually  direct  way.  But  as  effective  as  that  formalization  has  been,  there  is  still  reason  to  consider 
another  one.  First,  it  is  ugly.  And  second,  there  is  a  very  simple  but  powerful  proof  rule  that  it  is  entirely 
oblivious  to. 

We  say  that  e  is  consistent  with  r  if  and  only  if  for  any  c  G  C  and  any  e  G  e(c),  one  of  the  following  is  true: 

(i)  t(c)  =  0  and  e  =  (  ); 

(ii)  there  is  l,  c',  and  e!  such  that  (l,c')  €  r(c),  e'  €  e(c'),  and  e  =  {{l,d))  •  e' . 

Theorem  4.21.  The  following  are  equivalent: 

(a)  e  is  a  r-orbit  of  c; 

(b)  there  is  a  class  function  e  :  C  — >  PowSeq(L  x  C )  such  that  e  is  consistent  with  r,  and  e  G  e(c). 

Proof.  Suppose  that  (a)  is  true. 

Let  e  be  a  class  function  from  C  to  PowSeq(L  x  C )  such  that  for  every  d  and  e',  e'  G  e(c')  if  and  only  if 
one  of  the  following  is  true: 

(i)  d  =  c  and  d  =  e; 

(ii)  there  is  n  G  w  and  l  such  that  tail"  e  =  ((l,  c'))  ■  d . 

Assume  d  G  C  and  d  G  e(c'). 

Suppose  that  d  =  c  and  d  =  e. 

If  t(c')  =  0  and  d  =  (  ),  then  clause  (i)  of  the  consistency  property  is  true. 

Otherwise,  there  is  V,  c",  and  e"  such  that  ( l',c ")  G  r(c')  and 

d  =  ((l',d'))-e". 

Then,  by  (ii),  e"  G  e(c").  Thus,  clause  (ii)  of  the  consistency  property  is  true. 

Otherwise,  there  isnGu  and  l  such  that  tail"  e  =  ((l,  d))  ■  d . 

If  d  =  (  ),  then  r(c')  =  0,  and  thus,  clause  (i)  of  the  consistency  property  is  true. 

Otherwise,  there  is  l',  c",  and  e"  such  that  ( /',c ")  G  r(c')  and 

d  =  ((/',  c"»-e" 

Then,  by  (ii),  e"  G  e(c").  Thus,  clause  (ii)  of  the  consistency  property  is  true. 

Therefore,  e  is  consistent  with  r. 

Thus,  (b)  is  true. 

Conversely,  suppose  (b)  is  true, 

Then  clause  (i)  of  the  property  of  being  a  r-orbit  of  c  is  true. 
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By  an  easy  induction,  for  every  n  G  w,  if  tail "  e  7^  (  ),  then  there  is  l  and  d  such  that 
head  tail™  e  =  (l,  c) 

and  tail"+1  e  G  e(c'). 

Assume  n  £  to. 

Suppose  that  tail"  e  7^  (  ). 

Then  there  is  l  and  d  such  that 

head  tail"  e  =  (l,  d) 

and  tail"+1  e  G  e(c'). 

If  tail"+1  e  =  (  ),  then  r(c')  =  0. 

Otherwise,  there  is  l',  c",  and  e"  such  that  ( l',d ')  G  r(c'),  e"  G  e(c"),  and 
tail"+1  e  =  {(l',  d'))  ■  e" . 

Thus,  by  generalization,  clause  (ii)  of  the  property  of  being  a  r-orbit  of  c  is  true. 

Therefore,  (a)  is  true.  □ 

The  following  is  immediate: 

Corollary  4.22.  If  e  is  consistent  with  t,  then  for  any  c  G  C , 
e(c)  C  (gen  r)(c). 

The  following  is  now  straightforward: 

Corollary  4.23.  gen  r  is  consistent  with  r. 

Proof.  Assume  cGC  and  e  G  (gen  t)(c). 

By  Theorem  4.21,  there  is  a  class  function  e  :  C  — >  PowSeq(L  x  C )  such  that  e  is  consistent  with  r,  and 
e  G  e(c). 

If  t(c)  =  0  and  e  =  (  ),  then  there  is  nothing  to  prove. 

Otherwise,  there  is  l ,  c',  and  d  such  that  ( l ,  d)  G  t(c),  e'  G  e{d),  and 

e=((l,d))-d. 

And  by  Corollary  4.22,  d  G  (gen  r)(c/). 

Thus,  by  generalization,  gen  r  is  consistent  with  r.  □ 

Corollary  4.22  is  the  proof  rule  that  we  referred  to  earlier,  which  is  basically  an  instance  of  the  coinduction 
proof  technique  described  in  [47].  This  deserves  a  brief  digression. 

We  write  QT  (e)  for  a  class  function  from  C  to  Pow  Seq(L  x  C)  such  that  for  any  c  G  C, 

a  [£)fcl=|{(  )}  if  t(c)  =  0; 

r  !{((/,  c'))  •  e'  |  (Z,c')  G  r(c)  and  e!  G  £(c')}  otherwise. 


41 


Here  again,  our  notation  is  not  arbitrary.  We  think  of  QT  as  an  operator  on  class  functions  from  C  to 
PowSeq(L  x  C).  And  the  interesting  thing  about  this  operator  is  that  it  preserves  the  pointwise  ordering  of 
class  functions  from  C  to  PowSeq(L  x  C)  induced  by  the  inclusion  class  relation  on  PowSeq(L  x  C):  for 
every  class  function  £1;  e2  :  C  — >  Pow  Seq(L  x  C),  if  for  any  c  £  C\ 

si  (c)  C  e2(c), 

then  for  any  c  £  C, 

Gt{si)(c)  C  t/T(£2)(c). 

What  is  more,  £  is  consistent  with  r  if  and  only  if  £  is  a  post- fixed  point  of  QT1  or  equivalently,  for  any  c  £  C, 

s{c)  C  gT(e)(c). 

And  it  is  not  hard  to  see  that  gen  r  is  the  greatest  fixed  point  of  QT,  with  respect  to  the  aforementioned 
pointwise  ordering.  Therefore,  we  can  read  Corollary  4.22  as  saying  that  every  post-fixed  point  of  QT  is 
below  the  greatest  fixed  point  of  QT  in  that  ordering,  which  is  precisely  what  the  coinduction  proof 
technique  of  [47]  mandates.  Unlike  the  latter,  we  could  not  have  used  Tarski’s  Lattice-theoretical  Fixpoint 
Theorem  (see  [61,  thm.  1])  to  deduce  our  proof  rule  here.  For  if  C  is  a  proper  class,  then  PowSeq(L  x  C)  is 
not  a  complete  lattice  under  inclusion,  and  so  neither  is  the  induced  ordering  of  class  functions  from  C  to 
PowSeq(L  x  C).  Nevertheless,  the  principle  is  the  same. 

Note  that  an  ordered  set  can  be  viewed  as  a  category,  an  order-preserving  function  on  that  set  as  a  functor 
on  that  category,  and  a  post-fixed  point  of  that  function  as  a  coalgebra  for  that  functor.  And  if  that 
ordered  set  is  a  complete  lattice,  then,  by  Tarski’s  fixed-point  theorem,  there  is  a  final  coalgebra  for  that 
functor.  And  so  the  coinduction  proof  technique  of  [47]  is  just  another  variation  of  the  general  finality 
theme  of  Section  2.6.  The  same,  of  course,  is  true  for  the  more  ad  hoc  proof  rule  of  Corollary  4.22. 

For  a  historical  account  on  the  emergence  of  coinduction  in  computer  science,  we  refer  to  [60]. 

We  have  now  finally  reached  our  generability  characterization  theorem. 

Theorem  4.24.  £  is  generable  if  and  only  if  the  following  are  true: 

(a)  for  every  c,  l,  c' ,  and  e! ,  if  ((l,d))  ■  d  £  e(c),  then  e!  £  e{d); 

(b)  for  every  c,  l,  d,  dx,  and  e2,  if  ((l,d))  ■  dx  £  e(c)  and  e'2  £  s{d),  then  (( l,d ))  •  e2  £  e(c); 

(c)  for  any  c  £  C  and  every  infinite  sequence  s,  if  for  every  n  £  ui,  there  is  e  £  e(c)  such  that  for  every 
k  <  n  +  1,  tailfc  e  /  (  )  and 

head  tail'  s  =  head  tailfc  e, 

then  s  £  e{c); 

(d)  for  every  c  and  e,  if  e  £  e(c)  and  (  )  £  e{c),  then  e  =  (  ); 

(e)  for  any  c  £  C,  e(c)  ^  0. 

Proof.  Suppose  that  £  is  generable. 

Then  there  is  a  class  function  r  :  C  — >  Pow(L  x  C)  such  that  s  =  gen  r. 

For  every  c,  l,  d ,  and  e',  if  ((/,  c’))  •  d  £  (gen  r)(c),  then,  by  Corollary  4.23,  d  £  (gen  r)(c),  and  thus,  (a)  is 
true. 

For  every  c,  l,  d,  e[,  and  e'2,  if  (( l,d ))  •  dx  £  (gen  r)(c)  and  d2  £  (gen  r)(d),  then,  by  Corollary  4.23, 

(( l,d }}  •  e2  £  (gen r)(c),  and  thus,  (b)  is  true. 
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Assume  c  £  C  and  an  infinite  sequence  s. 

Suppose  that  for  every  n  £  u,  there  is  e  €  (gen  r)(c)  such  that  for  every  k  <  n  +  1,  tail*  e/(  )  and 
head  tailfe  s  =  head  tailfc  e. 

Assume  n  £  ui. 

If  n  =  0,  then  there  is  e  £  (gen  r)(c)  such  that  e  ^  (  )  and 

head  s  =  head  e. 

Thus,  there  is  l,  d ,  and  d  such  that  (l,  c ')  £  t{c)  and 
s  =  ((l,d))-e'. 

Otherwise,  there  is  m  £  u>  such  that  n  =  m  +  1.  Then  there  is  e  £  (gen  r)(c)  such  that  tail"1  e  /  (  )  and 
head  tail"1  s  =  head  tail"1  e, 
and  tail  '1+1  e  ^  (  )  and 

head  tail”1-1-1  s  =  head  tail”1-1"1  e. 

Thus,  there  is  l ,  c',  l' ,  c" ,  and  e"  such  that  ( l',c ")  £  r(c')  and 
tail"1  s  =  {{l,  c'))  ■  ((lr ,  c"))  ■  e" . 

Thus,  by  generalization,  s  is  a  r-orbit  of  c,  and  hence,  s  £  (gen  r)(c). 

Thus,  by  generalization,  (c)  is  true. 

For  every  c  and  e,  if  e  £  (gen  r)(c)  and  (  )  £  (gen  r)(c),  then,  by  Corollary  4.23,  r(c)  =  0,  and  hence, 
e  =  (  ).  Thus,  (d)  is  true. 

By  Theorem  4.18  and  the  Axiom  of  Dependent  Choice,  (e)  is  true. 

Conversely,  suppose  that  (a),  (b),  (c),  (d),  and  (e)  are  true. 

We  prove  that  e  =  gen(ri(C')  o  e). 

Assume  c  £  C  and  e  £  s(c). 

If  e  =  (  ),  then,  by  (d),  e(c)  =  {(  )},  and  thus,  r|(C)(e(c))  =  0. 

Otherwise,  there  is  l,  c' ,  and  e!  such  that 

e=((l,c'))-e'. 

Thus,  by  definition  of  rj,  (l,c')  £  ri(C')(e(c)),  and  by  (a),  e'  £  e{d). 

Thus,  by  generalization,  e  is  consistent  with  r \(C)  o  e,  and  by  Corollary  4.22,  for  any  c  £  C, 
s(c)  C  (gen(ri(C)  o  e))(c). 

Assume  c  £  C  and  e  £  (gen(p(C)  o  e))(c). 

If  e  =  (  ),  then  r|(C)(e(c))  =  0.  Thus,  by  (e),  e  £  e(c). 
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Otherwise,  there  is  l,  d ,  and  d2  such  that  (l,c')  £  r|(C)(£-(c))  and 

e  =  <M>  •  4- 

Suppose  that  there  is  new  such  that  tailn+1  e  =  {  ). 

Let  n  be  the  least  member  of  to  such  that  tailn+1  e  =  (  ). 

Then  there  is  l1  and  c"  such  that  rj(C')(£(c"))  =  0  and 

tail"  e  =  ((?',  c"»- 

We  use  induction  to  prove  that  for  every  j  <  n  +  1,  there  is  l”  and  d"  such  that 
head  tail-7  e  =  (l" ,  d") 

and  tail7+1  e  £  z{d"). 

If  j  =  n,  then 

head  tail7  e  =  (. I',  d') 

and 

tail7-*”1  e  =  (  ). 

And  since  r|(C)(£(c"))  =  0,  by  (e),  tail7+1  e  £  e(c"). 

Otherwise,  there  is  k  <  n  +  1  such  that  j  +  1  =  k.  Then  there  is  l",  d" ,  V" ,  d"',  and  d”’  such  that 
(l'",d'")  £  r\(C)(e(d''))  and 

head  tail7  e  =  ( l",d "). 

and 

tail7+1e  =  tail k  e  =  {{l’" ,d'"))  ■  d”’ . 

By  the  induction  hypothesis,  d2"  £  e(d'").  Since  ( l"',d "')  £  rl(C)(£(c,,,)),  there  is  d{"  such  that 
((/w ,  c""»  •  d{"  £  e{d").  Thus,  by  (b),  tail7+1  e  £  e(d"). 

Therefore,  d2  £  e(d).  And  since  (l,d)  £  r|(C)(e(c)),  there  is  d1  such  that  (( l,d ))  •  dx  £  e(c).  Thus,  by  (b), 
e  £  e(c). 

Otherwise,  for  every  n  £  to,  tailn+1  e  /  {  ). 

We  use  induction  to  prove  that  for  every  n,k  £  co,  there  is  l',  c",  and  e"  such  that 
head  tail"  e  =  (l1 ,  c"), 

e"  £  e(c"),  and  for  every  *  <  k  +  1,  tail1  e"  7^  (  )  and 

head  tailn+1+l  e  =  head  tail*  d' . 

Suppose  that  k  =  0. 

Then  there  is  l',  c",  l" ,  d" ,  and  d"  such  that  ( l",d ")  £  ri(C')(e-(c"))  and 
tail"  e  =  ({l',  d'))  ■  ((l",  d"))  ■  d" . 
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And  since  (l" ,d")  £  r|(C')(e(c")),  there  is  e"  such  that  e"  £  e(c")  and 
heade"  = 

Otherwise,  there  is  j  £  lo  such  that  k  =  j  +  1. 

Then  there  is  l',  c",  l",  d" ,  and  d"  such  that  ( l",d ")  £  r|(6)(£(c"))  and 
tail"  e  =  ((l',  d'))  ■  ((l",  d"))  ■  d" . 

By  the  induction  hypothesis,  there  is  e 2  such  that  e 2  £  s(d")  and  for  every  i  <  j  +  1,  tail1  e2  7^  (  )  and 
head  tailn+2+i  e  =  head  tail*  e2  . 

Since  (, l",d ")  £  ri(C')(e(c")),  there  is  d"  such  that  ((l",d"))  ■  d"  £  e(c").  Thus,  by  (b), 

({l",  d"))  ■  e2  £  e(c").  And  clearly,  for  every  i  <  k  +  1,  tail*(((Z",  d”))  ■  e\ '”)  7^  (  )  and 

head  tailn+1+*  e  =  head  tail*(((Z",  d"))  ■  d^')- 

Therefore,  for  every  n  £  u,  there  is  d  £  e(d)  such  that  for  every  k  <  n  +  1,  tailfc  d  7^  (  )  and 
head  tailfe  d2  =  head  tail"*  d . 

Thus,  by  (c),  d2  £  e(c').  And  since  (l,d)  £  ri(C')(e(c)),  there  is  dx  such  that  (( i,d ))  ■  dx  £  e(c).  Thus,  by 
(b),  (( l,d ))  ■  d2  £  e(c),  and  hence,  e  £  s(c). 

Thus,  by  generalization,  for  any  c  £  C, 
e(c)  D  (gen (h(C)  °e))(c). 

Thus,  e  =  gen  (h(C)  o  e),  and  hence,  e  is  generable.  □ 

Clause  (a)  of  Theorem  4.24  corresponds  to  suffix  closure,  clause  (b),  conditioned  on  (a),  to  fusion  closure, 
and  clause  (c)  to  limit  closure.  Clause  (d)  asserts  the  impossibility  of  indeterminate  termination.  Finally, 
clause  (e)  is  the  non-triviality  condition  discussed  earlier,  and  essentially  replaces  Emerson’s  left  totality 
condition  on  the  generating  transition  relation  (see  [25]). 

Each  of  these  five  properties  has  come  about  in  connection  with  a  different  cause  of  failure  of  the  converse 
of  Theorem  4.13,  and  hence  of  Theorem  4.10  and  Corollary  4.11.  And  if  we  have  been  thorough  enough,  we 
should  expect  that  the  conjunction  of  all  five  properties  be  sufficient  a  condition  for  eliminating  that  failure 
altogether.  This  turns  out  to  be  the  case. 

We  say  that  (C,  e)  is  generable  if  and  only  if  e  is  generable. 

Theorem  4.25.  //(Ci,£i)  and  {C^iSd)  nre  generable,  then  h  is  a  homomorphism  from  (C i,£i)  to  (C^,^) 
if  and  only  if  h  is  a  homomorphism  from  the  L-labelled  transition  coalgebra  (Ci,r|(Ci)  o  ex)  to  the 
L-labelled  transition  coalgebra  (C^r^C^)  oe2). 

Proof.  Suppose  that  (Ci,£i)  and  (C,2,£2)  are  generable. 

Suppose  that  h  is  a  homomorphism  from  (Ci,£i)  to  (C^^)- 

Then,  by  Theorem  4.10,  h  is  a  homomorphism  from  the  L-labelled  transition  coalgebra  {Cx,r\(C{)  o  ex)  to 
the  L-labelled  transition  coalgebra  (62,11(62)  o  e2). 

Conversely,  suppose  that  h  is  a  homomorphism  from  (Ci,r|(6i)  oey)  to  (62,11(62)  °£2). 
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Let  £2  be  a  class  function  from  C2  to  PowSeq(L  x  C2)  such  that  for  any  c2  £  C2, 


£2(02)  =  {e2  |  there  is  ci  £  C\  and  ei  £  £i(ci) 

such  that  h(ci)  =  C2  and  (Seq(L  x  h))(e  1)  =  62}. 

Assume  C2  £  C2  and  e2  £  £2(02). 

Then  there  is  ci  £  C\  and  ei  £  £i(ci)  such  that 

h(ci)  =  c2 

and 

(Seq(L  x  h))(e  1)  =  e2. 

Suppose  that  =  (  ). 

Then  e2  =  (  )■  Also,  (r|(Ci)  o  £i)(ci)  =  0,  and  since  h  is  a  homomorphism  from  (Ci,q(Ci)  o  e\)  to 
(C'2,q(C'2)  o  £2),  (^((^2)  o£2)(c2)  =0. 

Otherwise,  by  Corollary  4.23,  there  is  l ,  c'1;  and  e!x  such  that  (Z,  c^)  £  (q(Ci)  oe1)(ci),  e[  £  £i(c'1),  and 
ei  =  •  e!x. 

Then  (Seq(L  x  h))(e[)  £  e'^h^))  and 
e2  =  «Z,/i(ci)}}  •  (Seq(L  x  h)){e'1). 

And  since  h  is  a  homomorphism  from  (Ci,r|(Ci)  o  e:)  to  (C2,q(C2)  o  £2),  (l,  h (c^))  £  (^(C^)  o  £2)(c2). 

Thus,  by  generalization,  £2  is  consistent  with  q(C2)  o  £2.  Then,  by  Corollary  4.22,  for  any  c2  £  C2, 

£2(c2)  C  £2(c2). 

And  clearly,  for  any  c\  £  C\, 

(PowSeq(L  x  Zi))(£i(ci))  C  e2(h(ci)). 

Therefore,  for  any  Ci  £  C\, 

(Pow  Seq(L  x  h))(s i(ci))  C  e2(h(ci)). 

We  use  induction  to  prove  that  for  any  ci  £  Ci  and  any  finite  e2  £  £2{h(ci )),  there  is  ei  £  £i(ci)  such  that 
(Seq(L  x  h))(e  1)  =  e2. 

If  e2  =  (  ),  then  (11(62)  o  £2)(/i(ci))  =  0,  and  since  h  is  a  homomorphism  from  (Ci, 11(61)  o  e\)  to 
(62,11(62)  o  £2) ,  (ri(C'i)  o  £i)(ci)  =  0.  Thus,  (  )  £  £i(ci). 

Otherwise,  by  Corollary  4.23,  there  is  l ,  c2,  and  e2  such  that  (l,  c2)  £  (t)(C2)  oe2)(/i(ci)),  e2  £  E2(h(c'1)),  and 
e2  =  {{l,c2))  ■  e2. 

And  since  h  is  a  homomorphism  from  (C\  .r\(C\ )  o  e\)  to  (C2,q(C2)  o  e2),  there  is  c\  such  that 
(l,c i)  £  (q(Ci)  o£1)(ci)  and 

h(c'i)  =  c2. 
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Thus,  by  the  induction  hypothesis,  there  is  e'x  G  E\  (c^)  such  that 
(Seq(L  x  /i))(e,1)  =  e'2, 

and  hence,  ((l,c[))  ■  dx  G  £i(ci).  And  clearly, 

(Seq(L  x  c[))  ■  e[)  =  e2. 

We  now  prove  that  for  any  ci  £  C\  and  any  infinite  e2  G  £2(Mci)))  there  is  ei  G  £i(ci)  such  that 
(Seq(L  x  h))(e  1)  =  e2. 

Assume  ci  G  C\  and  an  infinite  e2  G  £2(/i(ci)). 

By  Corollary  4.23  and  an  easy  induction,  for  every  n  G  w,  there  is  l  and  c'2  such  that 
head  tail71  e2  =  ( l ,  c'2) 
and  tail"+1  e2  G  £2(c2). 

Let  W  be  a  function  from  u  to  (L  x  Ci)  x  w  such  that 

W(0)  =  {((l,  ci),  0)  |  {l,c[)  G  (ti(Ci)  o  £i)(ci)  and  head  e2  =  (l,h(c i ) ) } , 
and  for  every  n  G  w, 

W(n+  1)  =  {((l',c”),n  +  1)  |  there  is  {{l,d^),n)  G  W(n) 

such  that  {l',d{)  G  (r|(Ci)  oe1)(c'1)  and  headtailn+1e2  =  (l',h(d{))}. 

Since  e2  is  non-empty,  there  is  l  and  C2  such  that 
head  e2  =  (/,  d2). 

And  since  h  is  a  homomorphism  from  {Ci,r|(Ci)  o  e\)  to  (C2,q(C2)  o  e2),  there  is  dx  such  that 
(l,c i)  G  (ri(Ci)  oe1)(ci)  and 

h(c'i)  =  c'2. 

Thus,  W{ 0)  /  0. 

Let  S  =  |J  { W(n )  |  n  G  w}. 

Then,  since  W(0)  7^  0,  S'  ^  0. 

Let  i?  be  a  binary  relation  on  S  such  that  for  every  ((l,d1),m),  ((l',d{),n)  G  S , 

((l,d1),m)  R  ((l1  ,c"),n)  (l',d[)  G  (r)(Ci)  oe1)(c,1)  and  n  =  m  +  1. 

Assume  {{l,d1),n)  G  5. 

Then 

head  tail"  e2  =  (Z,  h(d{)) 

and  tailra+1  e2  G  £2(/i(c/1)).  Thus,  by  Corollary  4.23,  there  is  l',  d2,  and  d2  such  that 
(l', c'2)  e  (t|(C2)  o  £2)(Mc1))>  e2  e  £2(4'),  and 

tailn+1  e2  =  ((l',d2))  ■  d2. 
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And  since  h  is  a  homomorphism  from  ((7i,r|((7i)  o  gq)  to  (C2,q(C2)  o  £2),  there  is  c"  such  that 
<E  (ri(C'i)  o  £i)(ci)  and 

h(c'{)  =  cl 

Thus,  ((l',  c"),  n  +  1)  £  S  and  ((l,  cf1),n)  R  ((l',  c'[),n  +  1). 

Thus,  by  generalization,  for  every  s  £  S,  there  is  s'  such  that  s  R  s1 .  Then,  by  the  Axiom  of  Dependent 
Choice,  there  is  an  infinite  sequence  d  over  S  such  that  for  every  n  £  w,  head  tail"  d  R  head  tail"+1  d. 

Let  n  =  sec  head  d. 

We  use  induction  to  prove  that  for  every  j  <n  +  1,  there  is  l,  c[,  and  e\  such  that  ((l,  c\),j)  £  W(j), 
e[  £  ei(c/1),  and 

(Seq(L  x  h))({{l,  ci))  •  e[)  =  tail-7  e2. 

If  j  =  n,  then  there  is  l  and  such  that 
head  d  =  (<i,  c^),  j). 

And  clearly,  £  W(j),  (Seq(proj1((L  x  C\)  x  w)))(taild)  £  £i(c'1)  and 

(Seq(L  x  h))((l,  c[)  •  (Seq(proj1((L  x  C\)  x  tu))) (tail  d))  =  tail7  e2. 

Otherwise,  there  is  k  <  n  +  1  such  that  j  +  1  =  k.  By  the  induction  hypothesis,  there  is  l' ,  c",  and  e![  such 
that  ((/',  c"),  k)  £  W(k),  e"  £  £i(c"),  and 

(Seq(L  x  ■  e")  =  tailfce2. 

Since  {{V  ,df)  ,k)  £  W(k ),  there  is  (( l ,df),j)  £  W(j)  such  that  £  ('n(C'i)  ogqVc'i)  and 

head  tailfc  e2  =  (/',  h(c'{)).  And  clearly,  ({l',d{))  ■  e'{  £  e^)  and 

(Seq(L  x  h))({{l ,  c'x))  ■  e[)  =  tail-7  e2. 

Therefore,  there  is  l,  c[,  and  e[  such  that  {{l,  c[),  e!f)  £  W(0),  e!x  £  £\{df),  and 
(Seq(L  x  h))(((l,  c[))  ■  ei)  =  e2. 

And  by  definition  of  W,  ( l ,c[)  £  ('n(C'i)  oe1)(ci).  Thus,  (l,c[)  ■  e!x  £  £i(ci). 

Thus,  by  generalization,  for  any  ci  £ 

(Pow Seq(L  x  h))(ei(ci))  D  e2{h{ci)). 


Thus, 


(Pow  Seq(L  x  h))  oe1  =  e2  o  h, 

and  hence,  h  is  a  homomorphism  from  (C i,£i)  to  {C2,£2)-  □ 

The  following  is  immediate  from  Theorem  2.6  and  4.25: 

Corollary  4.26.  If  (C i,£i)  and  ((72,  £2)  are  generable,  then  B  is  a  bisimulation  between  (Ci,£i)  and 
((72,  £2)  if  and  only  if  B  is  a  bisimulation  between  the  L-labelled  transition  coalgebra  (Ci,r|((7i)  oq)  and 
the  L-labelled  transition  coalgebra  (C2,t\(C2)  o  £2). 
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Once  more,  we  can  translate  all  this  back  to  the  system  side  of  the  theory. 

Assume  a  binary  relation  T  :  S  -n-  L  x  S. 

We  write  £t(E)  for  a  binary  relation  between  S  and  x  S)  such  that  for  any  s  £  S  and  every 
e  e  y{L  x  S), 

s  £t(E)  e  •<=>•  either  there  is  no  (l,  s')  such  that  s  T  (l,  s'),  and  e  =  (  ), 

or  there  is  (l,  s')  such  that  s  T  (l,  s'),  head  e  =  (l,  s'),  and  s'  E  tail  e. 

The  following  is  trivial: 

Proposition  4.27.  £t(E)  =  re  I  t/funT(fun  E). 

We  think  of  £?  as  a  function  on  binary  relations  between  S  and  S^(L  x  S).  And  the  reason  that  we  are 
interested  in  this  function  is  that  it  preserves  the  ordering  of  binary  relations  between  S  and  S^(L  x  S) 
induced  by  the  inclusion  relation  on  their  graphs:  for  every  binary  relation  E\ ,  E2  :  Sf>y(Lx  S),  if 

graph  E1  C  graph  E2, 

then 

graph  £t{E\)  C  graph  £T(E2). 

This  ordering  is  of  course  a  complete  lattice,  and  hence,  by  Tarski’s  Lattice-theoretical  Fixpoint  Theorem, 
so  is  the  set  of  all  fixed  points  of  £t- 

We  write  exec  T  for  the  greatest  fixed  point  of  £t- 

Notice  that  here,  the  coinduction  proof  technique  of  [47]  is  directly  applicable. 

The  following  follows  from  Proposition  4.27  and  the  fact  that  gen  fun  T  is  the  greatest  fixed  point  of  GfunT: 
Proposition  4.28.  execT  =  relgenfunT. 

We  say  that  T  generates  E  if  and  only  if  exec  T  =  E. 

We  say  that  E  is  generable  if  and  only  if  there  is  a  binary  relation  between  S  and  L  x  S  that  generates  E. 
The  following  is  immediate  from  Proposition  3.3  and  4.28: 

Proposition  4.29.  E  is  generable  if  and  only  if  fun  E  is  generable. 

The  following  is  immediate  from  Proposition  3.3,  4.12,  4.28,  and  4.29: 

Proposition  4.30.  The  following  are  true: 

(a)  transexecT  =  T; 

(b)  if  E  is  generable,  then  exectrans  E  —  E. 

We  say  that  ( S ,  E)  is  generable  if  and  only  if  E  is  generable. 

The  following  is  immediate  from  Proposition  4.29: 

Proposition  4.31.  ( S,E )  is  generable  if  and  only  if  the  L-labelled  execution  coalgebra  (S,  fun  E)  is 
generable. 
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The  following  is  immediate  from  Proposition  3.3(b),  3.7,  4.6,  and  4.12,  and  Corollary  4.26: 

Theorem  4.32.  If  (Si,Ei)  and  are  generable,  then  B  is  a  bisimulation  between  (Si,Ei)  and 

( S2,E2 )  if  and  only  if  B  is  a  bisimulation  between  the  L-labelled  transition  systems  (<S'i,trans.E'1)  and 
(S2,  transit). 

Proposition  4.30  and  Theorem  4.32  confirm  what  has  been  implicit  throughout  this  section:  generable 
labelled  execution  systems  are  just  another  representation  of  labelled  transition  systems.  This  is  even  more 
evident  in  the  coalgebra  side  of  the  theory. 

We  write  L-LECgen  for  the  category  whose  objects  are  all  the  generable  L-labelled  execution  systems,  and 
arrows  all  the  homomorphisms  from  one  generable  L-labelled  execution  system  to  another. 

The  following  is  immediate  from  Proposition  4.20  and  Theorem  4.25: 

Theorem  4.33.  L-LECgen  and  L-LTC  are  isomorphic. 

Thus,  for  all  practical  purposes,  generable  labelled  execution  coalgebras  are  equivalent  to  labelled 
transition  coalgebras. 

In  light  of  this  equivalence,  Theorem  4.24  does  not  just  characterize  generable  labelled  execution 
coalgebras.  It  marks  the  boundary  between  the  expressive  power  of  labelled  transition  coalgebras  and 
labelled  execution  coalgebras.  And  what  it  implies  is  that  there  is  no  sense  in  choosing  the  latter  over  the 
former  unless  we  are  willing  to  give  up  one  or  more  of  the  five  properties  listed  in  the  respective  clauses  of 
Theorem  4.24. 


5  Related  work 

As  already  argued  in  the  introduction,  what  Milner  advocated  was  a  dichotomy  between  causation  and 
observation  in  the  theory  of  concurrency.  But  the  expansion  law,  and  its  reckless  use  with  agents  with 
infinite  behaviours,  skewed  that  dichotomy  into  a  controversy  between  so-called  “true  concurrency”  and 
interleaving  semantics.  And  in  the  midst  of  that  controversy,  interleaving  came  to  be  thought  of  as  no  more 
than  bounded  indeterminacy.  However,  the  real  cause  of  this  was  not  the  expansion  law  per  se,  but  the  use 
of  labelled  transition  systems  as  models  of  agent  behaviour.  After  all,  interleaving  is  an  operation  on 
executions,  not  transitions. 

Rather  than  generalizing  transition  systems  into  executions  ones,  and  obtain  a  modelling  structure  that 
can  do  justice  to  the  notion  of  interleaving,  and  ultimately  to  the  observational  view,  efforts  were  steered 
toward  decorating  the  former  with  all  kinds  of  different  pieces  of  information  that  would  alleviate  the 
various  deficiencies  of  that  misrepresented  notion  of  interleaving  (e.g.,  see  [16,  23,  21,  17,  18]).  And  more 
often  that  not,  the  result  was  a  kind  of  modelling  structure  that  could  no  longer  claim  adherence  to  the 
observational  view.  The  few  attempts  that  did  use  executions  directly,  at  least  those  that  we  are  aware  of 
(see  [22],  [20]),  were  not  concerned  with  organizing  them  into  structures  and  looking  at  their  branching 
properties,  and  anyway,  seem  to  have  received  only  scant  attention. 

The  first  place  where  we  do  see  executions  organized  into  structures  is  not  process  algebra,  but  temporal 
logic.  These  so-called  “path  structures”  (see  Section  4.1)  are  quite  popular  in  the  beginning.  We  do  not  see 
a  formal  concept  of  bisimulation  for  them,  but  there  is  definitely  interest  in  their  branching  properties.  The 
notions  of  suffix,  fusion,  and  limit  closure  are  all  defined  in  connection  with  path  structures.  Eventually, 
they  give  way  to  Kripke  structures,  inherited  from  modal  logic,  and  claimed  to  provide  “a  setting  more 
appropriate  to  concurrency”  (see  [26,  p.  152]).  They  do  not,  we  think.  But  despite  the  voiced  arguments  for 
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a  separation  between  implementation  and  correctness  issues  in  reasoning  about  concurrent  programs  (e.g., 
see  [19]),  transitions  remain  in  the  lead  role. 

In  [31],  Hennessy  and  Stirling  introduce  what  appears  to  be  the  first  type  of  labelled  execution  system  in 
the  literature.  They  call  systems  of  that  type  general  transition  systems ,  and  in  their  definition,  demand 
not  only  suffix  and  fusion  closure,  but  prefix  closure  as  well,  with  the  justification  that  it  “also  appears  to 
be  natural”  (see  [31,  p.  27]).  They  also  define  a  concept  of  extended  bisimulation  for  such  systems,  which  is 
basically  the  same  as  our  canonically  derived  concept  of  bisimulation  between  labelled  executions  systems 
(see  Definition  4.5).  The  focus  in  [31]  is  in  logic,  and  specifically,  in  a  generalization  of  Hennessy-Milner 
Logic  (see  [30])  to  general  transition  systems.  But  what  is  surprising  is  that  no  attempt  is  later  made  to 
apply  the  ideas  of  general  transition  systems  and  extended  bisimulations  to  the  semantics  of  processes. 

More  than  ten  years  later,  these  ideas  pop  up  in  a  “very  rough  and  incomplete  draft”  of  Aczel  (see  [5]), 
who  is  aware  of  Hennessy’s  work  in  [29],  a  precursor  of  [31],  but  apparently,  unaware  of  the  work  in  [31] 

(see  footnote  in  [5,  p.  3]).  Aczel’s  intention  is  to  apply  the  final  universe  approach  of  [4]  to  the  semantics  of 
Milner’s  SCCS  with  finite  delay  (see  [44]).  The  proposed  type  of  structure  is  a  generalized  type  of  labelled 
transition  system,  where  each  state  is  equipped  with  the  set  of  all  infinite  sequences  of  transitions 
“admissible”  from  that  state.  An  added  condition  of  “stability”  makes  structures  of  that  type  ultimately 
equivalent  to  the  general  transition  systems  of  [31],  but  only  because  the  latter  are  prefix  closed. 

Eventually,  these  structures  are  represented  as  coalgebras  over  Class,  and  [4,  thm.  2.2]  is  used  to  prove  the 
existence  of  a  final  coalgebra  in  the  full  subcategory  of  all  such  coalgebras  that  are  “stable” . 

The  only  other  place  where  we  find  these  ideas  applied  to  the  semantics  of  processes  is  [32] .  The  starting 
point  is  again  Milner’s  SCCS  with  finite  delay,  and  the  structures  used  are  practically  the  same  as  in  [5]. 
But  the  approach  is  purely  categorical.  Indeed,  the  main  goal  in  [32]  is  showing  how  much  can  be  done 
within  category  theory  alone. 

Comparing  [31],  [5],  and  [32]  with  our  work  here,  there  are  two  things  that  we  think  stand  out  and  would 
like  to  mention.  First,  regarding  the  general  idea  underlying  the  concept  of  labelled  execution  system,  we 
find  that  in  all  three  of  [31],  [5],  and  [32],  the  notion  of  indeterminate  termination,  and  its  use  in  modelling 
the  behaviour  of  reactive  systems,  has  been  completely  overlooked.  This  is  easy  to  put  right  in  [31],  where 
prefix  closure  is  an  added  feature,  but  not  so  in  [5]  and  [32],  where  the  property  is  practically  built  into  the 
structure  of  a  system.  And  second,  regarding  the  formalization  of  the  idea,  we  believe  that  the  present 
approach  represents  a  great  simplification,  both  conceptually  and  notationally,  over  what  was  done  in  all 
three  of  [31],  [5],  and  [32], 

It  should  be  emphasized  that  the  precedence  of  [31],  [5],  and  [32]  over  our  work  here  is  not  causal,  only 
temporal.  Our  ideas  were  developed,  and  for  the  most  part,  worked  out  before  any  acquaintance  with  these 
studies.  The  above  review  was  mainly  driven  by  our  curiosity  to  understand  why  ideas  that  in  retrospect 
seem  so  natural  have  not  found  their  way  into  the  household  of  the  average  concurrency  theorist.  In  the 
end,  one  can  only  speculate.  One  thing  is  certain  though:  if  matters  of  pedagogy  have  played  any  role  in 
this,  transition  semantics  have  definitely  profited  from  it;  for  people  like  pictures,  and  execution  systems 
are  impossible  to  draw. 


6  Conclusion 

The  purpose  of  this  work  was  to  introduce  the  concept  of  labelled  execution  system,  a  generalization  of 
that  of  labelled  transition  system  that  we  believe  can  better  accommodate  the  needs  of  an  observational 
approach  to  concurrency  theory.  And  as  we  saw  in  Section  4.5,  in  order  for  the  use  of  labelled  execution 
systems  over  labelled  transition  systems  to  be  justified,  one  or  more  of  the  five  properties  listed  in  the 
respective  clauses  of  Theorem  4.24  must  be  given  up.  But  as  we  saw  in  Section  4.3,  if  we  want  our  systems 
to  be  “well  behaved” ,  the  first  two  of  them  must  be  hold  on  to.  Therefore,  if  we  ignore  the  rather 
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uninteresting  non-triviality  condition,  we  are  left  with  having  to  give  up  limit  closure,  impossibility  of 
indeterminate  termination,  or  both. 

In  fact,  giving  up  any  of  these  two  properties  has  its  own  merit.  For  example,  giving  up  limit  closure 
enables  us  to  faithfully  model  the  finite  delay  property,  so  intrinsically  bound  to  the  notion  of  asynchronous 
parallelism.  And  possibility  of  indeterminate  termination  provides  us  with  the  means  of  simulating  the 
behaviour  of  a  capricious  environment  that  may  at  any  time  cease  to  produce  input  stimuli. 

Returning  to  the  discussion  in  our  introduction,  it  is  not  hard  to  see  how  one  could  use  Abrahamson 
systems  to  provide  a  model  for  Milner’s  CCS  that  avoided  “explicating  parallelism  in  terms  of 
non-determinism” ,  at  least  in  the  stronger  sense  of  the  expansion  law,  and  to  be  sure,  distinguished  between 
the  two  sides  of  (2).  The  critical  step  is  of  course  in  the  treatment  of  parallel  composition  as  a  fair  merge 
operation  over  the  executions  of  the  individual  systems  under  composition,  which,  however,  does  not  seem 
to  present  any  particular  difficulty  (e.g.,  see  [50]),  and  can  be  fitted  to  different  notions  of  fairness,  such  as, 
for  example,  weak  and  strong  fairness  (see  [10]).  But  if  one  is  really  serious  about  this  endeavour,  one  must 
also  allow  for  abstraction,  whereby  certain  actions  of  an  agent  become  unobservable.  And  this  calls  for  a 
suitably  weakened  version  of  bisimilarity  among  labelled  execution  systems.  An  interesting  question  then  is 
whether  such  a  weaker  version  can  be  canonically  obtained  by  the  coalgebraic  methods  used  here.  If 
possible,  this  could  lead,  through  Theorem  4.33,  to  a  coalgebraic  characterization  of  weaker  versions  of 
bisimilarity  among  labelled  transition  systems  as  well,  a  goal  that  has  heretofore  remained  elusive. 

Finally,  another  interesting  direction  for  future  work  is  the  stratification  of  the  concept  of  bisimilarity 
among  labelled  execution  systems,  which  can  be  obtained  in  a  manner  completely  analogous  to  the  case  of 
labelled  transition  systems  (e.g.,  see  [46,  chap.  10.4]).  In  the  latter  case,  each  iteration  of  the  stratification 
process  is  associated  with  a  notion  of  depth  down  to  which  certain  differences  in  branching  structure  can 
be  observed.  This  is  most  starkly  evident  in  the  classical  example  used  to  demonstrate  that,  in  the  case  of 
infinitely  branching  systems,  a  transfinite  number  of  iterations  is  needed  for  the  stratification  process  to 
converge  (e.g.,  see  [60,  exam.  2.6]).  In  the  case  of  labelled  execution  systems,  however,  there  is  no  such 
notion  of  depth,  and  that  particular  example  is  defused.  This  is  not  to  say  that,  in  that  case,  the 
stratification  process  does  not  need  a  transfinite  number  of  iterations  to  converge,  what  can  be  shown  to 
fail  by  appropriately  embedding  the  labelled  transition  systems  of  [46,  prop.  10.5]  in  the  executions  of 
certain  suitably  constructed  labelled  execution  systems.  But  the  proposed  stratification  of  bisimilarity  can 
be  seen  as  a  stratification  of  the  linear-time/branching-time  spectrum  (e.g.,  see  [62]),  offering  a  natural 
formal  framework  for  the  classification  of  different  semantic  notions  within  that  spectrum. 
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